Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6LYGpddoz7.exe

Overview

General Information

Sample name:6LYGpddoz7.exe
renamed because original name is a hash value
Original sample name:f86b8eca7716e57077952d0654a10fef.exe
Analysis ID:1580277
MD5:f86b8eca7716e57077952d0654a10fef
SHA1:cf40bd05d7aac4663fedd885594c72c434665174
SHA256:238d000d4f72673584aa6e8e16e9808e288c295b5c4b82c2e088b5653e2903e2
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found

Classification

No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 6LYGpddoz7.exeVirustotal: Detection: 29%Perma Link
Source: 6LYGpddoz7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 6LYGpddoz7.exeString found in binary or memory: http://.css
Source: 6LYGpddoz7.exeString found in binary or memory: http://.jpg
Source: 6LYGpddoz7.exeString found in binary or memory: http://html4/loose.dtd
Source: 6LYGpddoz7.exeString found in binary or memory: http://s3.amazonaws.com/doc/2006-03-01/
Source: 6LYGpddoz7.exeStatic PE information: Number of sections : 12 > 10
Source: 6LYGpddoz7.exeStatic PE information: No import functions for PE file found
Source: 6LYGpddoz7.exeStatic PE information: Data appended to the last section found
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: 6LYGpddoz7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6LYGpddoz7.exeVirustotal: Detection: 29%
Source: 6LYGpddoz7.exeString found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.2h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
Source: 6LYGpddoz7.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: 6LYGpddoz7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 6LYGpddoz7.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 6LYGpddoz7.exeStatic file information: File size 12568481 > 1048576
Source: 6LYGpddoz7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x974000
Source: 6LYGpddoz7.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0xb72c00
Source: 6LYGpddoz7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 6LYGpddoz7.exeStatic PE information: section name: .xdata
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
Path InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
6LYGpddoz7.exe30%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtd6LYGpddoz7.exefalse
    high
    http://s3.amazonaws.com/doc/2006-03-01/6LYGpddoz7.exefalse
      high
      http://.css6LYGpddoz7.exefalse
        high
        http://.jpg6LYGpddoz7.exefalse
          high
          No contacted IP infos
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580277
          Start date and time:2024-12-24 08:34:36 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 2m 0s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:2
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:6LYGpddoz7.exe
          renamed because original name is a hash value
          Original Sample Name:f86b8eca7716e57077952d0654a10fef.exe
          Detection:MAL
          Classification:mal48.winEXE@0/0@0/0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Unable to launch sample, stop analysis
          • No process behavior to analyse as no analysis process or sample was found
          • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
          No simulations
          No context
          No context
          No context
          No context
          No context
          No created / dropped files found
          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
          Entropy (8bit):6.067615931111859
          TrID:
          • Win64 Executable (generic) (12005/4) 74.95%
          • Generic Win/DOS Executable (2004/3) 12.51%
          • DOS Executable Generic (2002/1) 12.50%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
          File name:6LYGpddoz7.exe
          File size:12'568'481 bytes
          MD5:f86b8eca7716e57077952d0654a10fef
          SHA1:cf40bd05d7aac4663fedd885594c72c434665174
          SHA256:238d000d4f72673584aa6e8e16e9808e288c295b5c4b82c2e088b5653e2903e2
          SHA512:34c96b7da7998dd4e2508e2a336cff8ec2f6277e637494ab339382465368651278e03d7f907309e8b0788775cb49899296f6f3929c35c4057ca0fb97ebe53567
          SSDEEP:98304:8/9by/rwaIUiwqrhpZ28B8ENcFsBEu7eHIHF:JrwaIuq9G8BVNcSea
          TLSH:F7C6E817D9A940E8C0EDD4348662D637FEA17849873437EB2FA09A912F16FD0AF79710
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.@....`..B.............@..............................g.....E.a...`... ............................
          Icon Hash:00928e8e8686b000
          Entrypoint:0x1400014c0
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:1
          File Version Major:6
          File Version Minor:1
          Subsystem Version Major:6
          Subsystem Version Minor:1
          Import Hash:
          Instruction
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [0158DF75h]
          mov dword ptr [eax], 00000001h
          call 00007F5980B4373Fh
          nop
          nop
          dec eax
          add esp, 28h
          ret
          nop dword ptr [eax]
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [0158DF55h]
          mov dword ptr [eax], 00000000h
          call 00007F5980B4371Fh
          nop
          nop
          dec eax
          add esp, 28h
          ret
          nop dword ptr [eax]
          dec eax
          sub esp, 28h
          call 00007F59814B6CCCh
          dec eax
          test eax, eax
          sete al
          movzx eax, al
          neg eax
          dec eax
          add esp, 28h
          ret
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          dec eax
          lea ecx, dword ptr [00000009h]
          jmp 00007F5980B43A59h
          nop dword ptr [eax+00h]
          ret
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          jmp dword ptr [eax]
          inc edi
          outsd
          and byte ptr [edx+75h], ah
          imul ebp, dword ptr [esp+20h], 203A4449h
          and bl, byte ptr [edx+66h]
          cmp dword ptr [edi+61h], ebx
          push esi
          push 0000005Fh
          outsd
          push edx
          pop edi
          dec esp
          inc ecx
          dec edi
          jc 00007F5980B43AB7h
          outsd
          jnbe 00007F5980B43AC4h
          inc esi
          das
          push eax
          push esp
          dec edx
          cmp dword ptr [ebp+6Bh], ebp
          push esi
          popad
          push edx
          dec esi
          imul ecx, dword ptr [ebp+49h], 71h
          aaa
          push ecx
          dec esi
          pop eax
          cmp byte ptr [edi], ch
          outsd
          aaa
          cmp dword ptr [ecx+68h], esi
          dec ebx
          dec edx
          dec ebp
          dec ebp
          pop eax
          inc edx
          jbe 00007F5980B43AD6h
          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x162e0000x4e.edata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x162f0000x1460.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x16330000xe787.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x15900000x37b78.pdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x16420000x3519c.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x158eda00x28.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x162f4940x458.idata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x973f100x9740006b00c88ff2be3da5edf91928a2274603unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x9750000xa7a500xa7c00966c1f5e45a92830a17dc37f7d273c85False0.32735946814456035dBase III DBT, version number 0, next free block index 10, 1st item "RhJHDQXO8P8="5.1236007617466734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rdata0xa1d0000xb72bf00xb72c00e78891c85f207a569292a12ebe437b3dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          .pdata0x15900000x37b780x37c00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          .xdata0x15c80000xc680xe00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          .bss0x15c90000x641000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .edata0x162e0000x4e0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
          .idata0x162f0000x14600x1600d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .CRT0x16310000x700x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .tls0x16320000x100x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x16330000xe7870xe800d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x16420000x3519c0x35200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
          No network behavior found
          No statistics
          No system behavior
          No disassembly