Edit tour

Windows Analysis Report
7ZAg3nl9Fu.exe

Overview

General Information

Sample name:	7ZAg3nl9Fu.exe renamed because original name is a hash value
Original sample name:	4a03b82eee9ce63047430f3bf6707e27.exe
Analysis ID:	1581202
MD5:	4a03b82eee9ce63047430f3bf6707e27
SHA1:	9ab3c247dbb97c2c496ee3d92290f6d37868e614
SHA256:	65a060f8606f2213f1480ea132d519590f2736d8e1f53edb33fdfb27b3c9d869
Tags:	exeuser-Rony
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Potential thread-based time evasion detected

Switches to a custom stack to bypass stack traces

Abnormal high CPU Usage

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

7ZAg3nl9Fu.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\7ZAg3nl9Fu.exe" MD5: 4A03B82EEE9CE63047430F3BF6707E27)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

ET WORM Potential MySQL bot scanning for SQL server

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T08:33:06.283274+0100	2001689	1	A Network Trojan was detected	192.168.2.6	49707	147.45.44.166	3306	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 7ZAg3nl9Fu.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 7ZAg3nl9Fu.exe	Virustotal: Detection: 77%			Perma Link
Source: 7ZAg3nl9Fu.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 7ZAg3nl9Fu.exe

Joe Sandbox ML: detected

Source: 7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ce555633-3

Source: 7ZAg3nl9Fu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2001689 - Severity 1 - ET WORM Potential MySQL bot scanning for SQL server : 192.168.2.6:49707 -> 147.45.44.166:3306

Source: global traffic

TCP traffic: 192.168.2.6:49707 -> 147.45.44.166:3306

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.166
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.166
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.166
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.166

Source: 7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html

System Summary

PE file contains section with special chars

Source: 7ZAg3nl9Fu.exe	Static PE information: section name: .vmp]
Source: 7ZAg3nl9Fu.exe	Static PE information: section name: .vmp]
Source: 7ZAg3nl9Fu.exe	Static PE information: section name: .vmp]

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe

Process Stats: CPU usage > 49%

Source: 7ZAg3nl9Fu.exe, 00000000.00000000.2117980345.0000000001842000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename.NET Host* vs 7ZAg3nl9Fu.exe
Source: 7ZAg3nl9Fu.exe	Binary or memory string: OriginalFilename.NET Host* vs 7ZAg3nl9Fu.exe

Source: 7ZAg3nl9Fu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe

Mutant created: \Sessions\1\BaseNamedObjects\winrar8KEGNWLJEMAmaV3_2_8

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7ZAg3nl9Fu.exe	Virustotal: Detection: 77%
Source: 7ZAg3nl9Fu.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Section loaded: mswsock.dll			Jump to behavior

Source: 7ZAg3nl9Fu.exe

Static file information: File size 8933376 > 1048576

Source: 7ZAg3nl9Fu.exe

Static PE information: Raw size of .vmp] is bigger than: 0x100000 < 0x86ba00

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp]

Source: 7ZAg3nl9Fu.exe	Static PE information: section name: .vmp]
Source: 7ZAg3nl9Fu.exe	Static PE information: section name: .vmp]
Source: 7ZAg3nl9Fu.exe	Static PE information: section name: .vmp]

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 1FA0005 value: E9 8B 2F 3E 75	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 77382F90 value: E9 7A D0 C1 8A	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 1FF0005 value: E9 2B BA 35 75	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 7734BA30 value: E9 DA 45 CA 8A	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 2000008 value: E9 8B 8E 39 75	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 77398E90 value: E9 80 71 C6 8A	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 2020005 value: E9 8B 4D 91 74	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 76934D90 value: E9 7A B2 6E 8B	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 39E0005 value: E9 EB EB F6 72	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 7694EBF0 value: E9 1A 14 09 8D	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 39F0005 value: E9 8B 8A F3 71	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 75928A90 value: E9 7A 75 0C 8E	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 3A00005 value: E9 2B 02 F5 71	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Memory written: PID: 1460 base: 75950230 value: E9 DA FD 0A 8E	Jump to behavior

Malware Analysis System Evasion

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 102702B
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 17BDEAF
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 1783650
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 111F236
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 10EA7AD
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 10EE0B0
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: FE60A6
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 10A18F7
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 105E282
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 1166909
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 10DD2E6
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: 17B97AD
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	API/Special instruction interceptor: Address: FE9F13

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Window / User API: threadDelayed 3247			Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Window / User API: threadDelayed 3203			Jump to behavior

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe TID: 4176	Thread sleep count: 321 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe TID: 4176	Thread sleep time: -32100s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe TID: 1908	Thread sleep count: 3247 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe TID: 1908	Thread sleep time: -32470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe TID: 4176	Thread sleep count: 3203 > 30	Jump to behavior
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe TID: 4176	Thread sleep time: -320300s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe

Thread sleep count: Count: 3247 delay: -10

Jump to behavior

Source: 7ZAg3nl9Fu.exe, 00000000.00000002.4570850443.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\7ZAg3nl9Fu.exe

Process Stats: CPU usage > 42% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	1 Credential API Hooking	31 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	121 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7ZAg3nl9Fu.exe	77%	Virustotal		Browse
7ZAg3nl9Fu.exe	71%	ReversingLabs	Win32.Trojan.Riseloader
7ZAg3nl9Fu.exe	100%	Avira	TR/Crypt.XPACK.Gen
7ZAg3nl9Fu.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
https://curl.se/docs/hsts.html	7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp	false	high
https://curl.se/docs/alt-svc.html	7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp	false	high
https://curl.se/docs/http-cookies.html	7ZAg3nl9Fu.exe, 00000000.00000002.4569199663.0000000000953000.00000002.00000001.01000000.00000003.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.166	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581202
Start date and time:	2024-12-27 08:32:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7ZAg3nl9Fu.exe renamed because original name is a hash value
Original Sample Name:	4a03b82eee9ce63047430f3bf6707e27.exe
Detection:	MAL
Classification:	mal92.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
02:33:39	API Interceptor	11088578x Sleep call for process: 7ZAg3nl9Fu.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	HOrW5twCLd.exe	Get hash	malicious	XenoRAT	Browse	147.45.69.75
	cMTqzvmx9u.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	147.45.44.224
	qoqD1RxV0F.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	iviewers.dll	Get hash	malicious	LummaC	Browse	147.45.44.131
	Collapse.exe	Get hash	malicious	LummaC	Browse	147.45.47.81
	nTyPEbq9wQ.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	7A2lfjTYNf.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	6fW0guYpsH.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	FzmtNV0vnG.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155
	lKin1m7Pf2.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.990893955664666
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7ZAg3nl9Fu.exe
File size:	8'933'376 bytes
MD5:	4a03b82eee9ce63047430f3bf6707e27
SHA1:	9ab3c247dbb97c2c496ee3d92290f6d37868e614
SHA256:	65a060f8606f2213f1480ea132d519590f2736d8e1f53edb33fdfb27b3c9d869
SHA512:	4b65b2498c1f8235abb1d57287ae21902e43a5b1bae91c504c008af5a0f4a99834cbe91a1645d5ec6472047c65011bf7b587d310be1a9dc88df8d8b21f481ddc
SSDEEP:	196608:kATgKsJS6RVOR5BUG2vTXDgaI/jmXbdJrv/3Oq4j/d1:zhXmOR0TTNI/iXBlH0rr
TLSH:	EF9633A367E6304CD4A97EF8074BA5BF3C752CE64440CD3E52C8AE9ABCA351508B7791
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............'......<.......s......0....@..................................i....@................................

File Icon


Icon Hash:	3771cdcccd5b0f0e

Static PE Info

General

Entrypoint:	0xb385c7
Entrypoint Section:	.vmp]
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67069D81 [Wed Oct 9 15:13:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	22fdff218e67136da776c02ad644f82a

Entrypoint Preview

Instruction
call 00007F0ADCBFA079h
mov dword ptr [esp+10h], C705AEB9h
lea esp, dword ptr [esp+14h]
jmp 00007F0ADCB9BCDAh
lea esp, dword ptr [esp+08h]
jmp 00007F0ADD2FF5ACh
adc esi, 00000004h
mov dword ptr [esp+00h], 47275618h
mov dword ptr [esp+00h], edx
popfd
push 7E3632ABh
lea esp, dword ptr [esp+04h]
jmp 00007F0ADD33A511h
call 00007F0ADCB8A018h
ror byte ptr [esp+09h], 00000007h
neg ebp
xor ebx, ebp
shr dword ptr [esp+18h], FFFFFFE1h
neg dword ptr [esp+15h]
sbb esi, 00000003h
call 00007F0ADCCDCB55h
call 00007F0ADCC9D5D1h
jmp 00007F0ADD2E2D79h
lea esp, dword ptr [esp+0Ch]
jmp 00007F0ADCB4D5D8h
push 500E5899h
jmp 00007F0ADCBDAD64h
call 00007F0ADCC2DC2Ch
call 00007F0ADD31E1A8h
call 00007F0ADCC76321h
jmp 00007F0ADD39E75Bh
dec ecx
adc edx, 00000008h
dec eax
mov dword ptr [esp+00h], 0210C8BEh
dec eax
dec dword ptr [esp+00h]
sal word ptr [esp+05h], 0062h
dec ecx
adc ecx, eax
jmp 00007F0ADCCB4F59h
sysenter
push esi
pushfd
mov esi, 623B90A4h
movzx esi, si
mov esi, dword ptr [esp+esi*8+00FB7AE4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf22324	0xc8	.vmp]
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfa2000	0x18bb9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfbb000	0x354	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7cd01c	0x18	.vmp]
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xfa18e0	0x40	.vmp]
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x735000	0x48	.vmp]
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb1d2c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb3000	0x212d8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd5000	0x2414	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp]	0xd8000	0x65c1e2	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp]	0x735000	0x68	0x200	17fe8ae166d1302cec148ec02c524495	False	0.107421875	data	0.49252369622245973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp]	0x736000	0x86b9a0	0x86ba00	ab242c45a049c7326b780922d4d6aba8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xfa2000	0x18bb9	0x18c00	35b94006cd58b35e6cb632c3798cada7	False	0.29853219696969696	data	4.523242780407002	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfbb000	0x354	0x400	ec23768842cc66fc8c86ebc7a364a5bd	False	0.5048828125	data	3.755268748163135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xfa21f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	Russian	Russia	0.6338652482269503
RT_ICON	0xfa2658	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	Russian	Russia	0.4416041275797373
RT_ICON	0xfa3700	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	Russian	Russia	0.36721991701244816
RT_ICON	0xfa5ca8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	Russian	Russia	0.3298299480396788
RT_ICON	0xfa9ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.26818880870696793
RT_GROUP_ICON	0xfba6f8	0x4c	data	Russian	Russia	0.75
RT_VERSION	0xfba744	0x2f8	data	Russian	Russia	0.45526315789473687
RT_MANIFEST	0xfbaa3c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
ADVAPI32.dll	CryptAcquireContextA
SHELL32.dll	ShellExecuteA
OLEAUT32.dll	VariantClear
CRYPT32.dll	CertFreeCertificateChain
WLDAP32.dll
Normaliz.dll	IdnToAscii
WS2_32.dll	getsockopt
bcrypt.dll	BCryptGenRandom

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T08:33:06.283274+0100	2001689	ET WORM Potential MySQL bot scanning for SQL server	1	192.168.2.6	49707	147.45.44.166	3306	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 08:33:06.283273935 CET	49707	3306	192.168.2.6	147.45.44.166
Dec 27, 2024 08:33:06.402998924 CET	3306	49707	147.45.44.166	192.168.2.6
Dec 27, 2024 08:33:06.403127909 CET	49707	3306	192.168.2.6	147.45.44.166
Dec 27, 2024 08:33:08.601917982 CET	3306	49707	147.45.44.166	192.168.2.6
Dec 27, 2024 08:33:08.601989031 CET	49707	3306	192.168.2.6	147.45.44.166
Dec 27, 2024 08:33:08.602066994 CET	49707	3306	192.168.2.6	147.45.44.166
Dec 27, 2024 08:33:08.721581936 CET	3306	49707	147.45.44.166	192.168.2.6

Target ID:	0
Start time:	02:33:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\7ZAg3nl9Fu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7ZAg3nl9Fu.exe"
Imagebase:	0x8a0000
File size:	8'933'376 bytes
MD5 hash:	4A03B82EEE9CE63047430F3BF6707E27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7ZAg3nl9Fu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 7ZAg3nl9Fu.exePID: 1460, Parent PID: 4004

General

Chronological Activities

Disassembly

Windows Analysis Report
7ZAg3nl9Fu.exe