Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dnf5RWZv2v.exe

Overview

General Information

Sample name:dnf5RWZv2v.exe
renamed because original name is a hash value
Original sample name:46ef8e940afc468128082e2658882b7d.exe
Analysis ID:1579754
MD5:46ef8e940afc468128082e2658882b7d
SHA1:150b9ac76371d7d3ab73173b591e3a157ea7921e
SHA256:3ae4063b6d153cd438004ec8ffebdd2ad73f3423e602336301c7c779ae3d3195
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file does not import any functions
PE file overlay found

Classification

No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: dnf5RWZv2v.exeVirustotal: Detection: 18%Perma Link
Source: dnf5RWZv2v.exeReversingLabs: Detection: 26%
Source: dnf5RWZv2v.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dnf5RWZv2v.exeStatic PE information: No import functions for PE file found
Source: dnf5RWZv2v.exeStatic PE information: Data appended to the last section found
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: dnf5RWZv2v.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dnf5RWZv2v.exeVirustotal: Detection: 18%
Source: dnf5RWZv2v.exeReversingLabs: Detection: 26%
Source: dnf5RWZv2v.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: dnf5RWZv2v.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: dnf5RWZv2v.exeStatic file information: File size 1464384 > 1048576
Source: dnf5RWZv2v.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x110c00
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dnf5RWZv2v.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dnf5RWZv2v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dnf5RWZv2v.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dnf5RWZv2v.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dnf5RWZv2v.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dnf5RWZv2v.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dnf5RWZv2v.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
No Mitre Att&ck techniques found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
SourceDetectionScannerLabelLink
dnf5RWZv2v.exe18%VirustotalBrowse
dnf5RWZv2v.exe26%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    high
    fp2e7a.wpc.phicdn.net
    192.229.221.95
    truefalse
      high
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1579754
      Start date and time:2024-12-23 08:36:51 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 1m 36s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:dnf5RWZv2v.exe
      renamed because original name is a hash value
      Original Sample Name:46ef8e940afc468128082e2658882b7d.exe
      Detection:MAL
      Classification:mal48.winEXE@0/0@0/0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Unable to launch sample, stop analysis
      • No process behavior to analyse as no analysis process or sample was found
      • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
      • Excluded IPs from analysis (whitelisted): 20.223.35.26, 2.16.158.176, 2.16.158.192, 2.16.158.185, 2.16.158.184, 2.16.158.186, 2.16.158.170, 2.16.158.169, 2.16.158.187, 2.16.158.179, 20.198.119.84, 20.190.181.2, 13.107.246.63
      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, arc.msn.com, www-www.bing.com.trafficmanager.net, wns.notify.trafficmanager.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, ocsp.edge.digicert.com, arc.trafficmanager.net, azureedge-t-prod.trafficmanager.net, iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
      No simulations
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-part-0035.t-0009.t-msedge.netME3htMIepa.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
      • 13.107.246.63
      stealcy11.exeGet hashmaliciousStealcBrowse
      • 13.107.246.63
      skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
      • 13.107.246.63
      fiFdIrd.txt.jsGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      mPQW1NB2Px.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
      • 13.107.246.63
      uw7vXaPNPF.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      HOEcO4nqCT.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      D7M4c24p9T.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
      • 13.107.246.63
      gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
      • 13.107.246.63
      fp2e7a.wpc.phicdn.netcrhRJnVd08.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
      • 192.229.221.95
      xWnpPJbKGK.exeGet hashmaliciousCryptbotBrowse
      • 192.229.221.95
      skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
      • 192.229.221.95
      1fgVMJOnF0.exeGet hashmaliciousCryptbotBrowse
      • 192.229.221.95
      cred64.dll.dllGet hashmaliciousAmadeyBrowse
      • 192.229.221.95
      tg.exeGet hashmaliciousBabadedaBrowse
      • 192.229.221.95
      iepdf32.dllGet hashmaliciousUnknownBrowse
      • 192.229.221.95
      Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
      • 192.229.221.95
      62f928.msiGet hashmaliciousRemcosBrowse
      • 192.229.221.95
      file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
      • 192.229.221.95
      No context
      No context
      No context
      No created / dropped files found
      File type:PE32+ executable (GUI) x86-64, for MS Windows
      Entropy (8bit):6.489662021256218
      TrID:
      • Win64 Executable GUI (202006/5) 92.65%
      • Win64 Executable (generic) (12005/4) 5.51%
      • Generic Win/DOS Executable (2004/3) 0.92%
      • DOS Executable Generic (2002/1) 0.92%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:dnf5RWZv2v.exe
      File size:1'464'384 bytes
      MD5:46ef8e940afc468128082e2658882b7d
      SHA1:150b9ac76371d7d3ab73173b591e3a157ea7921e
      SHA256:3ae4063b6d153cd438004ec8ffebdd2ad73f3423e602336301c7c779ae3d3195
      SHA512:acbb29e31e451db0fbc9eb3ad82e2d6b4363306ae68ec9243d753bfb739b5ad2859e49f5e4b8af4fac958b147579e128793e8132d9f54e90bc954b9420e148bc
      SSDEEP:24576:1MWluOKJhmZt0JV4f3Nsf0wZXeF5GzQ4EL4x5odi2X0ZwRL/eJm3Lh0lhSMXl2I:eWluOKJkZt0J4Nsf0wZXeFaQ4ELmCdkd
      TLSH:55654A95156D02E9C8BEC038CA9F8A12F676344913B1A7FB1AD047921FB77E06E3E750
      File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........az.N...N...N....x..O....x..O.......W...v...`...v...B...^...F...^...^...^...-....x.......x..D....x..X...N...m....x..S.......Q..
      Icon Hash:00928e8e8686b000
      Entrypoint:0x1400b6918
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x140000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Time Stamp:0x67332122 [Tue Nov 12 09:34:26 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:
      Instruction
      dec eax
      sub esp, 28h
      call 00007F3129250B7Ch
      dec eax
      add esp, 28h
      jmp 00007F312925031Fh
      int3
      int3
      and dword ptr [001345EDh], 00000000h
      ret
      dec eax
      mov dword ptr [esp+08h], ebx
      push ebp
      dec eax
      lea ebp, dword ptr [esp-000004C0h]
      dec eax
      sub esp, 000005C0h
      mov ebx, ecx
      mov ecx, 00000017h
      call dword ptr [0005B9C2h]
      test eax, eax
      je 00007F31292504A6h
      mov ecx, ebx
      int 29h
      mov ecx, 00000003h
      call 00007F3129250469h
      xor edx, edx
      dec eax
      lea ecx, dword ptr [ebp-10h]
      inc ecx
      mov eax, 000004D0h
      call 00007F31292975DCh
      dec eax
      lea ecx, dword ptr [ebp-10h]
      call dword ptr [0005B965h]
      dec eax
      mov ebx, dword ptr [ebp+000000E8h]
      dec eax
      lea edx, dword ptr [ebp+000004D8h]
      dec eax
      mov ecx, ebx
      inc ebp
      xor eax, eax
      call dword ptr [0005B953h]
      dec eax
      test eax, eax
      je 00007F31292504DEh
      dec eax
      and dword ptr [esp+38h], 00000000h
      dec eax
      lea ecx, dword ptr [ebp+000004E0h]
      dec eax
      mov edx, dword ptr [ebp+000004D8h]
      dec esp
      mov ecx, eax
      dec eax
      mov dword ptr [esp+30h], ecx
      dec esp
      mov eax, ebx
      dec eax
      lea ecx, dword ptr [ebp+000004E8h]
      dec eax
      mov dword ptr [esp+28h], ecx
      dec eax
      lea ecx, dword ptr [ebp-10h]
      dec eax
      mov dword ptr [esp+20h], ecx
      xor ecx, ecx
      call dword ptr [0005B91Ah]
      dec eax
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x1e1d980x12c.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f60000x1e0.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1ed0000x8b2c.pdata
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1f70000x20dc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x1c84800x38.rdata
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x1c86800x28.rdata
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1c83400x140.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x1120000x788.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x110b5c0x110c002b314fdffa00720e738132a45c3dac35False0.435774232355637data6.370676605257312IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x1120000xd16c40xd18000091fd5416d7df7918866eb6db52fc64False0.39737301257163987OpenPGP Secret Key6.194383654779732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x1e40000x842c0x6000d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .pdata0x1ed0000x8b2c0x8c00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rsrc0x1f60000x1e00x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x1f70000x20dc0x2200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Dec 23, 2024 08:37:41.914835930 CET1.1.1.1192.168.2.60x85a3No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
      Dec 23, 2024 08:37:41.914835930 CET1.1.1.1192.168.2.60x85a3No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
      Dec 23, 2024 08:37:49.382833958 CET1.1.1.1192.168.2.60x43fbNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
      Dec 23, 2024 08:37:49.382833958 CET1.1.1.1192.168.2.60x43fbNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
      No statistics
      No system behavior
      No disassembly