Edit tour

Windows Analysis Report
2S5jaCcFo5.exe

Overview

General Information

Sample name:	2S5jaCcFo5.exe renamed because original name is a hash value
Original sample name:	4ae76b4623e36ecb1d403b3b681a0de0.exe
Analysis ID:	1580290
MD5:	4ae76b4623e36ecb1d403b3b681a0de0
SHA1:	f3c6b83092d2420f83221f9be8b938e0feb86428
SHA256:	2f9cf2feded9f6ce5d10bd8d7b91c6377b40d6ba17bc1a33a50078f634e687a7
Tags:	exeuser-abuse_ch

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Uses 32bit PE files

Classification

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 2S5jaCcFo5.exe	Virustotal: Detection: 19%			Perma Link
Source: 2S5jaCcFo5.exe	ReversingLabs: Detection: 21%

Source: 2S5jaCcFo5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2S5jaCcFo5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2S5jaCcFo5.exe	String found in binary or memory: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=%s&client_id=%
Source: 2S5jaCcFo5.exe	String found in binary or memory: https://opentelemetry.io/schemas/1.24.0too
Source: 2S5jaCcFo5.exe	String found in binary or memory: https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&RoleSessionName=%s&RoleArn=%s&WebIdentit

Source: 2S5jaCcFo5.exe

Static PE information: No import functions for PE file found

Source: 2S5jaCcFo5.exe

Static PE information: Data appended to the last section found

Source: 2S5jaCcFo5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2S5jaCcFo5.exe	Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStart116415321826934814453125582076609134674072265625zlib: invalid dictionaryreflect.StructOf: field reflect.MapIter.SetValuereflect.Value.SetComplexreflect.Value.UnsafeAddrx509: malformed validityexec: Stdout already setexec: Stderr already setCodeWithScopeDecodeValueCodeWithScopeEncodeValueunsupported key type: %vCodeWithScopeSpacerFramePointerCodec.EncodeValuePointerCodec.DecodeValuefield %v is not settableinvalid tracestate valuejson: unsupported type: expected float; found %stabwriter: panic during invalid pattern syntax: flate: maxBits too largeAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDeviceGetWindowThreadProcessId{"$code":%s,"$scope":%s}bsoncore.Value.DBPointerbsoncore.Value.Timestampunknown compressor ID %vtext/html; charset=utf-8unexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sapplication/octet-streamRequest Entity Too Largehttp: nil Request.Header^127[.]0[.]0[.]1(:\d+)?$server selection timeout%s while positioned on aTLS_RSA_WITH_RC4_128_SHAerror decrypting messagecertificate unobtainableOTEL_RESOURCE_ATTRIBUTESbaggage-string too largeaddress string too shortresource length too longunpacking Question.Class&DiacriticalDoubleAcute;&NotSquareSupersetEqual;unknown address protocolinvalid address checksumcould not decode: %v: %w302231454903657293676544sha2-256-trunc254-padded\Device\NamedPipe\cygwindecoder used after ClosemaxSymbolValue too smallsymbolLen (%d) too smallidna: disallowed rune %Urequest context canceledX-aws-ec2-metadata-tokenserver validation failedNested channel(id:%d) %sMalformed method name %qNotNestedGreaterGreater;digest size is too largestreamSafe was not resetmultiple errors occurredchacha20: wrong key sizeValue kind is %s, not %scode: %s, debug data: %qnegative concat size: %dgoogle.protobuf.DurationGODEBUG sys/cpu: value "", required CPU feature
Source: 2S5jaCcFo5.exe	Binary string: duplicated defer entryruntime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: type trace: alloc too largenon-Go function at pc=reflectlite.Value.TypeRtlLookupFunctionEntryCreateEnvironmentBlock4656612873077392578125%SystemRoot%\system32\0123456789aAbBcCdDeEfFexpected quoted stringInscriptional_ParthianNyiakeng_Puachue_Hmongzlib: invalid checksumunexpected method stepreflect.Value.MapIndexreflect.MapIter.SetKeyreflect.Value.SetFloat to array with length x509: malformed issuerzero length BIT STRINGended session was usedRegistry cannot be nilbsoncore.Value.BooleanUnmarshalerDecodeValue) multiple inline mapsinvalid tracestate key into Go struct field json: unknown field %q.localhost.localdomainmissing ']' in addressinvalid address familyoperation was canceledundefined variable: %sindex out of range: %dreflectlite.Value.Elemunexpected length codeEnumDependentServicesWWaitForMultipleObjectsNtSetSystemInformationRtlDeleteFunctionTableSetupDiEnumDriverInfoWSetupDiGetClassDevsExWoverflowing coordinateInt.Scan: invalid verbinvalid number base %dinternal inconsistencygzip: invalid checksumelement is missing keybsoncore.Value.AsInt32bsoncore.Value.AsInt64{"$numberDouble":"%s"}write command error: [http2: frame too largewrite on closed bufferbody closed by handlerframe_data_pad_too_bigaccess-control-max-ageinvalid Trailer key %qmalformed HTTP versionX-Content-Type-OptionsUnsupported Media TypeDEBUG_HTTP2_GOROUTINESMAX_CONCURRENT_STREAMSMONGODB_LOG_CONNECTIONX-MongoDB-Server-NonceWriteBinaryWithSubtype{"$binary":{"base64":"TLS_AES_128_GCM_SHA256TLS_AES_256_GCM_SHA384ECDSAWithP256AndSHA256ECDSAWithP384AndSHA384ECDSAWithP521AndSHA512error decoding messageinappropriate fallbackconflicting Schema URLtelemetry.sdk.languageIPv4 address too shortmultiple :: in addressskipping Question Nameskipping Question Typeunexpected right parenexpected end; found %sparenthesized pipeline&CapitalDifferentialD;&DoubleLeftRightArrow;&DoubleLongRightArrow;&EmptyVerySmallSquare;&NestedGreaterGreater;&NotDoubleVerticalBar;&NotGreaterSlantEqual;&NotLeftTriangleEqual;&NotSquareSubsetEqual;&OpenCurlyDoubleQuote;&ReverseUpEquilibrium;error parsing regexp: invalid address lengthfil/7/verifiedregistryunknown multihash code\Device\NamedPipe\msyssymbolLen (%d) too bighpack: string too longheader field %q = %q%sidna: invalid label %qservice config updatedgrpc-retry-pushback-msjava_string_check_utf8php_metadata_namespaceCloseCurlyDoubleQuote;DoubleContourIntegral;FilledVerySmallSquare;NegativeVeryThinSpace;NotPrecedesSlantEqual;NotRightTriangleEqual;NotSucceedsSlantEqual;fil/1/verifiedregistryfil/2/verifiedregistryfil/3/verifiedregistrysha3: Write after ReadBalancerAttributes: %v[client-transport %p] received invalid frame[server-transport %p] GRPC_BINARY_LOG_FILTERinvalid config: %q, %voneof type already setunknown parent type %TXXX_InternalExtensionsinvalid empty type URL{%v %v %

Source: classification engine

Classification label: mal48.winEXE@0/0@0/0

Source: 2S5jaCcFo5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2S5jaCcFo5.exe	Virustotal: Detection: 19%
Source: 2S5jaCcFo5.exe	ReversingLabs: Detection: 21%

Source: 2S5jaCcFo5.exe	String found in binary or memory: &github.com/filecoin-project/go-address
Source: 2S5jaCcFo5.exe	String found in binary or memory: &github.com/filecoin-project/go-address&map[abi.RegisteredPoStProof]struct {}&map[abi.RegisteredSealProof]struct {}&map.bucket[cid.Cid]builtin.actorInfo
Source: 2S5jaCcFo5.exe	String found in binary or memory: )go.mongodb.org/mongo-driver/mongo/address
Source: 2S5jaCcFo5.exe	String found in binary or memory: asn1:"tag:0,optional,explicit")map.bucket[logger.Component]logger.Level)go.mongodb.org/mongo-driver/bson/bsontype)go.mongodb.org/mongo-driver/internal/csot)go.mongodb.org/mongo-driver/internal/uuid)github.com/zeromicro/go-zero/core/stringx)go.mongodb.org/mongo-driver/mongo/address)func(trace.TraceFlags) trace.SpanContext)func(trace.TraceState) trace.SpanContext)func(string, string, func(string) error))func([]uint8) (int, net.UDPAddr, error))func([]uint8, net.UDPAddr) (int, error))func(string, func(string) string) string)map.bucket[color.Color][]color.Attribute)func() (string, bsoncore.Document, bool))func(http.ResponseWriter, http.Request))func(http.http2SettingID) (uint32, bool))map.bucket[string]http.http2addConnCall)interface { IsHTTP2NoCachedConnError() })validateConnectionAddressWithAllowedHosts)struct { Nonce string "bson:\"nonce\"" })func(string) (bsonrw.ValueWriter, error))func([]uint8, []uint8, []uint8, []uint8))google.golang.org/protobuf/internal/order)go.opentelemetry.io/otel/internal/baggage)map.bucket[string]blackfriday.reference)func(multibase.Encoding) (string, error))struct { CidTarget string "json:\"/\"" })func([]uint8) (nistec.P224Point, error))func([]uint8) (nistec.P256Point, error))func([]uint8) (nistec.P384Point, error))func([]uint8) (nistec.P521Point, error))go.uber.org/automaxprocs/internal/runtime)go.mongodb.org/mongo-driver/internal/rand)*func(context.Context, slog.Record) error
Source: 2S5jaCcFo5.exe	String found in binary or memory: runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine unixpacketLockFileEx12207031256103515625ParseFloatRIPEMD-160(BADINDEX)%!(NOVERB)ChorasmianDevanagariGlagoliticKharoshthiManichaeanOld_ItalicOld_PermicOld_TurkicOld_UyghurPhoenicianSaurashtracomplex128t.Kind == SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1IP addressPOSTALCODEexecerrdotSYSTEMROOT@timestampbackgrounddefinitionx-trace-id for type /etc/hostsmyhostname.localhostwsarecvmsgwsasendmsg netGo = <no value>value for arg %d: %whttp2debugcrypto/tlsdwmapi.dllIsValidSidLocalAllocOpenEventWOpenMutexWOpenThreadPulseEventResetEventimpossiblefirstBatchnot masterDeploymentcreateUserupdateUserapiVersionautocommitdurationMSStandaloneReplicaSetConnectionlocal-addrSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookieuser-agentkeep-aliveconnectionUser-AgentHost: %s
Source: 2S5jaCcFo5.exe	String found in binary or memory: ... omitting .WithDeadline(<not Stringer>TOKEN_RESOURCERawEncodeValueRawDecodeValueIntDecodeValueURLDecodeValueMapDecodeValueIntEncodeValueURLEncodeValueMapEncodeValue.in-addr.arpa.unknown mode: len of type %s\.+?()\|[]{}^$mime/multipartControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueW{"$symbol":%s}command failedcopydbgetnonceCommand failed$numberDecimal, Tag sets: %sContent-Length; SameSite=LaxERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofunknown error unknown code: Not AcceptableMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMconversationIdReadDecimal128ReadJavascriptWriteDBPointerWriteTimestampWriteUndefined%s can only %sReadValueBytes32-bit integer64-bit integerbad record MACCompressorNoOpCompressorZLibCompressorZstdDisplayVersionhttp.client_ipALREADY_EXISTS"OUT_OF_RANGE"AuthInfo: '%s'prefix length not an ip:portinvalid PrefixResourceHeaderRCodeNameErrorunknown node: HorizontalRule&DownArrowBar;&DownTeeArrow;&ExponentialE;&GreaterEqual;&GreaterTilde;&HilbertSpace;&HumpDownHump;&Intersection;&LeftArrowBar;&LeftTeeArrow;&LeftTriangle;&LeftUpVector;&NotCongruent;&NotHumpEqual;&NotLessEqual;&NotLessTilde;&Proportional;&RightCeiling;&RoundImplies;&ShortUpArrow;&SquareSubset;&UnderBracket;&VerticalLine;&blacklozenge;&exponentiale;&risingdotseq;&triangledown;&triangleleft;&varsubsetneq;&varsupsetneq;InstEmptyWidthfil/7/multisigAccept-CharsetDkim-Signatureneed more dataREQUEST_METHODSignedHeaders=StaticProvidere=unknown-userr=%s,s=%s,i=%dSubConn(id:%d)STATUS_CODE_OKunknown ID: %vprotobuf errorreserved_rangefield_presenceApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;base32padupperbase32hexupperfil/1/multisigfil/2/multisigfil/3/multisig%s Channel #%dgrpc-trace-bintoo_many_pingsshow_sensitive^(.)\[(.)\]$MessageOptionsServiceOptionsinvalid kind: protobuf_oneofXXX_OneofFuncsXXX_extensionsLOGGER_UNKNOWN(line %d:%d): invalid %v: %v$htmltemplate_ / %s */null formnovalidatestart of arraystart of valueReservedRangeswriter is deadloggabletraceruint64<string>uint32<string>string<string>[]byte<string>GetProcessTimesDuplicateHandlenegative offset: cannot parse ,M3.2.0,M11.1.0advertise errorkey has expirednetwork is downno medium foundno such processGetAdaptersInfoCreateHa
Source: 2S5jaCcFo5.exe	String found in binary or memory: depgithub.com/filecoin-project/go-addressv0.0.5h1:SSaFT/5aLfPXycUlFyemoHYhRgdyXClXCyDdNJKPlDM=
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.Address.Network
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.Address.String
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.Address.Canonicalize
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.(*Address).Canonicalize
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.(*Address).Network
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver/mongo/address.(*Address).String
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.glob..func1
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.glob..func2
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Empty
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Unmarshal
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.Marshal
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Scan
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewIDAddress
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalCBOR
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalCBOR
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.init
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Empty
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Marshal
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Payload
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Protocol
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Unmarshal
Source: 2S5jaCcFo5.exe	String found in binary or memory: net/addrselect.go
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: 2S5jaCcFo5.exe	String found in binary or memory: go.mongodb.org/mongo-driver@v1.17.1/mongo/address/addr.go
Source: 2S5jaCcFo5.exe	String found in binary or memory: google.golang.org/grpc@v1.65.0/internal/balancerload/load.go
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address@v0.0.5/address.go
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address@v0.0.5/address.go
Source: 2S5jaCcFo5.exe	String found in binary or memory: github.com/filecoin-project/go-address@v0.0.5/constants.go

Source: 2S5jaCcFo5.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 2S5jaCcFo5.exe

Static file information: File size 14039534 > 1048576

Source: 2S5jaCcFo5.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x748000
Source: 2S5jaCcFo5.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x76ae00

Source: 2S5jaCcFo5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 2S5jaCcFo5.exe

Static PE information: section name: .symtab

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2S5jaCcFo5.exe	19%	Virustotal		Browse
2S5jaCcFo5.exe	21%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=%s&client_id=%	0%	Avira URL Cloud	safe
https://opentelemetry.io/schemas/1.24.0too	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://opentelemetry.io/schemas/1.24.0too	2S5jaCcFo5.exe	false	Avira URL Cloud: safe	unknown
https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&RoleSessionName=%s&RoleArn=%s&WebIdentit	2S5jaCcFo5.exe	false		high
http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=%s&client_id=%	2S5jaCcFo5.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580290
Start date and time:	2024-12-24 08:51:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2S5jaCcFo5.exe renamed because original name is a hash value
Original Sample Name:	4ae76b4623e36ecb1d403b3b681a0de0.exe
Detection:	MAL
Classification:	mal48.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	QDQXUZhiY3.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	13.107.246.63
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	13.107.246.63
	Onboard Training Checklist v1.1 - Wyatt Young (1).xlsx	Get hash	malicious	Unknown	Browse	13.107.246.63
	vFile__0054seconds__Airborn.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	ZysXVT72cl.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	NxqDwaYpbp.exe	Get hash	malicious	LummaC	Browse	13.107.246.63

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.333084120248259
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2S5jaCcFo5.exe
File size:	14'039'534 bytes
MD5:	4ae76b4623e36ecb1d403b3b681a0de0
SHA1:	f3c6b83092d2420f83221f9be8b938e0feb86428
SHA256:	2f9cf2feded9f6ce5d10bd8d7b91c6377b40d6ba17bc1a33a50078f634e687a7
SHA512:	9c725ef4d67a74dc4ea37ac78ec037590db8276589cb23639cd76108ce57a6c04e317ef7fa9d95f92203fe70fe5ac760430b9480ce31aeb8a004db49fe6caf68
SSDEEP:	98304:mIsgziodRecV+zqR/v8oAQJrGKTbWwB4l5B2MIjSOdsv9YynoAyoW8BRQPzdZ:1U40opxKHIjSOdsVV/+Z
TLSH:	3DE62B41EECB50F9E9079831516BB23F633056058778CBCFDB95AE26EA373825937209
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........l................t..B...... ........@....@.......................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46f420
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:

Entrypoint Preview

Instruction
jmp 00007FBC38E82E80h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
sub esp, 28h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+10h], ebp
mov dword ptr [esp+14h], esi
mov dword ptr [esp+18h], edi
mov dword ptr [esp], eax
mov dword ptr [esp+04h], ecx
call 00007FBC38E68436h
mov eax, dword ptr [esp+08h]
mov edi, dword ptr [esp+18h]
mov esi, dword ptr [esp+14h]
mov ebp, dword ptr [esp+10h]
mov ebx, dword ptr [esp+1Ch]
add esp, 28h
retn 0004h
ret
int3
int3
int3
int3
int3
int3
sub esp, 08h
mov ecx, dword ptr [esp+0Ch]
mov edx, dword ptr [ecx]
mov eax, esp
mov dword ptr [edx+04h], eax
sub eax, 00010000h
mov dword ptr [edx], eax
add eax, 00000BA0h
mov dword ptr [edx+08h], eax
mov dword ptr [edx+0Ch], eax
lea edi, dword ptr [ecx+34h]
mov dword ptr [edx+18h], ecx
mov dword ptr [edi], edx
mov dword ptr [esp+04h], edi
call 00007FBC38E852C4h
cld
call 00007FBC38E8436Eh
call 00007FBC38E82FA9h
add esp, 08h
ret
mov ebx, dword ptr [esp+04h]
mov dword ptr fs:[00000034h], 00000000h
mov ebp, esp
mov ecx, dword ptr [ebx+04h]
mov eax, ecx
shl eax, 02h
sub esp, eax
mov edi, esp
mov esi, dword ptr [ebx+08h]
cld
rep movsd
call dword ptr [ebx]
mov esp, ebp
mov ebx, dword ptr [esp+04h]
mov dword ptr [ebx+0Ch], eax
mov dword ptr [ebx+10h], edx
mov eax, dword ptr fs:[00000034h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf4e000	0x45e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfb0000	0x40c41	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf4f000	0x5feec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xeb60a0	0xb8	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x747ff0	0x748000	3a2f701b880fe58a8c39e978010f40ab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x749000	0x76ace4	0x76ae00	bbf79bc379fc606721ce576357be6c3e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xeb4000	0x99978	0x63400	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xf4e000	0x45e	0x600	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xf4f000	0x5feec	0x60000	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xfaf000	0x4	0x200	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xfb0000	0x40c41	0x40e00	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 08:52:22.144227028 CET	1.1.1.1	192.168.2.9	0x3a3b	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 08:52:22.144227028 CET	1.1.1.1	192.168.2.9	0x3a3b	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2S5jaCcFo5.exe

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

DNS Answers

Statistics

System Behavior

Disassembly

Windows Analysis Report
2S5jaCcFo5.exe