Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eEC2TBvZ2V.exe

Overview

General Information

Sample name:eEC2TBvZ2V.exe
renamed because original name is a hash value
Original sample name:7599ea7a23c0b0d9ecb7c895e9f8cfdb.exe
Analysis ID:1580272
MD5:7599ea7a23c0b0d9ecb7c895e9f8cfdb
SHA1:ebc13af0137dd53f8275ff41990ae86fc32a0b10
SHA256:4036ab3fa5a19cdc1064ad55047dd766ea21cb1ffd4f1e4fa037eb29fa813fb2
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://home.sevkk17sr.top/IYhWwFtYdnqYbODzcCzq17Avira URL Cloud: Label: malware
Source: eEC2TBvZ2V.exeVirustotal: Detection: 25%Perma Link
Source: eEC2TBvZ2V.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f99ddaa9-d
Source: eEC2TBvZ2V.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: eEC2TBvZ2V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: eEC2TBvZ2V.exeString found in binary or memory: http://home.sevkk17sr.top/IYhWwFtYdnqYbODzcCzq17
Source: eEC2TBvZ2V.exeString found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: eEC2TBvZ2V.exeString found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: eEC2TBvZ2V.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: eEC2TBvZ2V.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: eEC2TBvZ2V.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: eEC2TBvZ2V.exeStatic PE information: No import functions for PE file found
Source: eEC2TBvZ2V.exeStatic PE information: Data appended to the last section found
Source: eEC2TBvZ2V.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: eEC2TBvZ2V.exeBinary string: Kntdll.dllNtCreateFileNtDeviceIoControlFileNtCancelIoFileEx\Device\Afd
Source: classification engineClassification label: mal56.winEXE@0/0@0/0
Source: eEC2TBvZ2V.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: eEC2TBvZ2V.exeVirustotal: Detection: 25%
Source: eEC2TBvZ2V.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectorysystem_win32.c@
Source: eEC2TBvZ2V.exeString found in binary or memory: in-addr.arpa
Source: eEC2TBvZ2V.exeString found in binary or memory: "L0123456789abcdefin-addr.arpaip6.arpa
Source: eEC2TBvZ2V.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: eEC2TBvZ2V.exeString found in binary or memory: 4M[\Unable to allocate space for channel dataFailed allocating memory for channel type nameUnable to allocate temporary space for packetWould block sending channel-open requestUnable to send channel-open requestWould blockUnexpected errorUnexpected packet sizeChannel open failure (administratively prohibited)Channel open failure (connect failed)Channel open failure (unknown channel type)Channel open failure (resource shortage)Channel open failureUnable to allocate memory for setenv packetcancel-tcpip-forwardWould block sending forward requestUnable to send global-request packet for forward listen requestauth-agent-req@openssh.comauth-agent-reqcdChannel can not be reusedUnable to allocate memory for channel-process requestWould block sending channel requestUnable to send channel requestFailed waiting for channel successUnable to complete request for channel-process-startupUnexpected packet lengthUnable to allocate memory for signal nameWould block sending window adjustUnable to send transfer-window adjustment packet, deferringtransport readwould blockWe have already closed this channelEOF has already been received, data might be ignoredFailure while draining incoming flowUnable to send channel dataUnable to send EOF, but closing channel anywayWould block sending close-channelUnable to send close-channel request, but closing anywaysessionchannel.cUnable to allocate memory for direct-tcpip connectiondirect-tcpipUnable to allocate memory for direct-streamlocal connectiondirect-streamlocal@openssh.comQR0.0.0.0tcpip-forwardWould block sending global-request packet for forward listen requestUnknownUnable to allocate memory for listener queueUnable to complete request for forward-listenWould block waiting for packetChannel not foundcdenvWould block sending setenv requestUnable to send channel-request packet for setenv requestFailed getting response for channel-setenvUnable to complete request for channel-setenvcdWould block sending auth-agent requestUnable to send auth-agent requestFailed to request auth-agentUnable to complete request for auth-agentcdterm + mode lengths too largepty-reqWould block sending pty requestUnable to send pty-request packetFailed to require the PTY packageUnable to complete request for channel request-ptywindow-changeWould block sending window-change requestUnable to send window-change packetcdUnable to allocate memory for pty-requestx11-reqMIT-MAGIC-COOKIE-1Unable to get random bytes for x11-req cookie%02XWould block sending X11-req packetUnable to send x11-req packetwaiting for x11-req response packetUnable to complete request for channel x11-reqWould block sending EOFUnable to send EOF on channelReceiving channel window has been exhausted_libssh2_transport_read() bailed out!libssh2_channel_wait_closed() invoked when channel is not in EOF stateUnable to allocate memory for signal requestsignalWould block sending signal requestUnable to send signal packetecdsa-sha2-nistp256ecdsa-sha2-nistp384ecdsa-sha2-nistp521blocksize <= siz
Source: eEC2TBvZ2V.exeString found in binary or memory: id-cmc-addExtensions
Source: eEC2TBvZ2V.exeString found in binary or memory: set-addPolicy
Source: eEC2TBvZ2V.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: eEC2TBvZ2V.exeStatic file information: File size 6698156 > 1048576
Source: eEC2TBvZ2V.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x440800
Source: eEC2TBvZ2V.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x172c00
Source: eEC2TBvZ2V.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x146a00
Source: eEC2TBvZ2V.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: eEC2TBvZ2V.exeStatic PE information: real checksum: 0x73e7ac should be: 0x670ca9
Source: eEC2TBvZ2V.exeStatic PE information: section name: .eh_fram
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
Path InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote Services1
Archive Collected Data
Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
eEC2TBvZ2V.exe25%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://home.sevkk17sr.top/IYhWwFtYdnqYbODzcCzq17100%Avira URL Cloudmalware
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://curl.se/docs/hsts.htmleEC2TBvZ2V.exefalse
    high
    https://curl.se/docs/alt-svc.htmleEC2TBvZ2V.exefalse
      high
      http://home.sevkk17sr.top/IYhWwFtYdnqYbODzcCzq17eEC2TBvZ2V.exefalse
      • Avira URL Cloud: malware
      unknown
      https://ace-snapper-privately.ngrok-free.app/test/testFailedeEC2TBvZ2V.exefalse
        high
        https://curl.se/docs/http-cookies.htmleEC2TBvZ2V.exefalse
          high
          https://ace-snapper-privately.ngrok-free.app/test/testeEC2TBvZ2V.exefalse
            high
            No contacted IP infos
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1580272
            Start date and time:2024-12-24 08:34:21 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 2m 0s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:1
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:eEC2TBvZ2V.exe
            renamed because original name is a hash value
            Original Sample Name:7599ea7a23c0b0d9ecb7c895e9f8cfdb.exe
            Detection:MAL
            Classification:mal56.winEXE@0/0@0/0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Unable to launch sample, stop analysis
            • No process behavior to analyse as no analysis process or sample was found
            • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
            • Exclude process from analysis (whitelisted): dllhost.exe
            No simulations
            No context
            No context
            No context
            No context
            No context
            No created / dropped files found
            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Entropy (8bit):5.539513440655659
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:eEC2TBvZ2V.exe
            File size:6'698'156 bytes
            MD5:7599ea7a23c0b0d9ecb7c895e9f8cfdb
            SHA1:ebc13af0137dd53f8275ff41990ae86fc32a0b10
            SHA256:4036ab3fa5a19cdc1064ad55047dd766ea21cb1ffd4f1e4fa037eb29fa813fb2
            SHA512:c9d512e8c8a349af63861760093f1793f9210f3edc55f19a3bb13ce2bebf71f13859d6a1eff9f976fcaf4ecc52c473889cf8b0e8d04f024b82ab9c04d6618838
            SSDEEP:49152:pc2DokHnRSoWQr8KnAAwQ4yrc/PHanO2xMWgV5BPo42wOeJhmwsg3H:pcuEoWQHAnRyKP6O2xxe5W42wWMX
            TLSH:AD664B85EAEB91F5DA8315715016B73F6F71B6029A35CEF6CBC0CE34C562A116A0E32C
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e@g...............(..D...s..2........... D...@...........................s.......s...@... ............................
            Icon Hash:00928e8e8686b000
            Entrypoint:0x4014a0
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x67406518 [Fri Nov 22 11:03:52 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:
            Instruction
            mov dword ptr [00B01644h], 00000001h
            jmp 00007F023C8605D6h
            nop
            mov dword ptr [00B01644h], 00000000h
            jmp 00007F023C8605C6h
            nop
            sub esp, 1Ch
            mov eax, dword ptr [esp+20h]
            mov dword ptr [esp], eax
            call 00007F023CBE5E36h
            cmp eax, 01h
            sbb eax, eax
            add esp, 1Ch
            ret
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            nop
            push ebp
            mov ebp, esp
            push edi
            push esi
            push ebx
            sub esp, 1Ch
            mov dword ptr [esp], 009B5000h
            call dword ptr [00B03854h]
            sub esp, 04h
            test eax, eax
            je 00007F023C860995h
            mov ebx, eax
            mov dword ptr [esp], 009B5000h
            call dword ptr [00B038C0h]
            mov edi, dword ptr [00B03868h]
            sub esp, 04h
            mov dword ptr [00AFF028h], eax
            mov dword ptr [esp+04h], 009B5013h
            mov dword ptr [esp], ebx
            call edi
            sub esp, 08h
            mov esi, eax
            mov dword ptr [esp+04h], 009B5029h
            mov dword ptr [esp], ebx
            call edi
            sub esp, 08h
            mov dword ptr [00842004h], eax
            test esi, esi
            je 00007F023C860933h
            mov dword ptr [esp+04h], 00AFF02Ch
            mov dword ptr [esp], 00AFC104h
            call esi
            mov dword ptr [esp], 00401580h
            call 00007F023C860883h
            lea esp, dword ptr [ebp-0Ch]
            pop ebx
            pop esi
            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x7030000x2850.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7080000x31a7c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x6fa4f00x18.rdata
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x7037140x570.idata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x4406fc0x440800c3942151b44f3c51c9a479c9c9137fe3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .data0x4420000x172ac00x172c005e6df8abfe35f5194710738d9d30ff80False0.0142032883091706dBase III DBT, version number 0, next free block index 10, 1st item "\260~y"0.21120884419920893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rdata0x5b50000x1469e80x146a005f2412b56b9f04f55f80a00de8ae33f9False0.3641249701407136data5.937862191579041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .eh_fram0x6fc0000x2f500x3000d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .bss0x6ff0000x31600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .idata0x7030000x28500x2a00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .CRT0x7060000x300x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .tls0x7070000x80x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .reloc0x7080000x31a7c0x31c00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
            No network behavior found
            No statistics
            No system behavior
            No disassembly