Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zox1oNM5Xl.exe

Overview

General Information

Sample name:zox1oNM5Xl.exe
renamed because original name is a hash value
Original sample name:e6966719c5ad13b4ffeb3475c037410e.exe
Analysis ID:1581392
MD5:e6966719c5ad13b4ffeb3475c037410e
SHA1:ce7533af05ada74e959859aaae96370de896edf3
SHA256:627ef85c42fe43276763c5fe0fd5dcc4917e5977b51ea7fd178bcd1984cb072b
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
PE file contains section with special chars
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found
Sample file is different than original file name gathered from version info

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: zox1oNM5Xl.exeJoe Sandbox ML: detected
Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: zox1oNM5Xl.exe

System Summary

barindex
PE file contains section with special chars
Source: zox1oNM5Xl.exeStatic PE information: section name:
Source: zox1oNM5Xl.exeStatic PE information: Data appended to the last section found
Source: zox1oNM5Xl.exeBinary or memory string: OriginalFilenameB vs zox1oNM5Xl.exe
Source: zox1oNM5Xl.exeStatic PE information: Section: ZLIB complexity 1.0000576934171812
Source: classification engineClassification label: mal56.winEXE@0/0@0/0
Source: zox1oNM5Xl.exeStatic file information: File size 4477543 > 1048576
Source: zox1oNM5Xl.exeStatic PE information: Raw size of .themida is bigger than: 0x100000 < 0x60e000
Source: Binary string: Z:\Oreans Projects\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: zox1oNM5Xl.exe
Source: initial sampleStatic PE information: section where entry point is pointing to: .themida
Source: zox1oNM5Xl.exeStatic PE information: real checksum: 0x623c38 should be: 0x446a60
Source: zox1oNM5Xl.exeStatic PE information: section name:
Source: zox1oNM5Xl.exeStatic PE information: section name: .imports
Source: zox1oNM5Xl.exeStatic PE information: section name: .themida
Source: zox1oNM5Xl.exeStatic PE information: section name: entropy: 7.972559965934052

Hooking and other Techniques for Hiding and Protection

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: telegram2.png

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Software Packing		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
zox1oNM5Xl.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1581392
    Start date and time:2024-12-27 14:52:45 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 43s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:zox1oNM5Xl.exe
    renamed because original name is a hash value
    Original Sample Name:e6966719c5ad13b4ffeb3475c037410e.exe
    Detection:MAL
    Classification:mal56.winEXE@0/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis

    Errors

    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.63
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    • VT rate limit hit for: zox1oNM5Xl.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0035.t-0009.t-msedge.netJA7cOAGHym.exeGet hashmaliciousVidarBrowse
    • 13.107.246.63
    OTRykEzo6o.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    wceaux.dll.dllGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    wp.batGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
    • 13.107.246.63
    RDb082EApV.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.63
    GnHq2ZaBUl.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.63
    EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    onaUtwpiyq.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.63
    CAo57G5Cio.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.63

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.251472499346601
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.94%
    • Win16/32 Executable Delphi generic (2074/23) 0.02%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:zox1oNM5Xl.exe
    File size:4'477'543 bytes
    MD5:e6966719c5ad13b4ffeb3475c037410e
    SHA1:ce7533af05ada74e959859aaae96370de896edf3
    SHA256:627ef85c42fe43276763c5fe0fd5dcc4917e5977b51ea7fd178bcd1984cb072b
    SHA512:98e64ce86a132d3ca6ceeaedd8fdc16dd448d5f8289a8cb7707bdd02607702fcaceb410aeda48d73151cd12b3462a0178ed48a4e5da7c82517dd55ee9cbba9ee
    SSDEEP:98304:IN5yA1a7c5z8Rlj3GmWEjH/XfxYzLgKKf:ysN7HjPigKk
    TLSH:E8265CF23A0AE2DFC2870878E453DD07D56D03F58715A912DC6DB87CAE53D9622C6B28
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c............................BW... ...@....@.. ....................... c.....8<b...@................................

    File Icon

    Icon Hash:0f39636064652b17

    Static PE Info

    General

    Entrypoint:0x485742
    Entrypoint Section:.themida
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE
    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
    Time Stamp:0x63E41DD4 [Wed Feb 8 22:10:28 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:4328f7206db519cd4e82283211d98e83

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2203a0x50.imports
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000xa398.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x120000x876a0939e25f30ca472549992c3b49d88082False1.0000576934171812data7.972559965934052IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x140000xa3980xa4009deb45ce6bc271949e6a24d48d0cf20aFalse0.6636099466463414data7.178108226554093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x200000xc0x20010f9af4c8625f86c22d663197e4eaa3bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .imports0x220000x20000x200dbd0fc163d1022be46a45b67e74740b2False0.16796875data1.1405531534676816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .themida0x240000x60e0000x60e00023b669402025e026c71624a1d824e91eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x141f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.6028368794326241
    RT_ICON0x146580x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.4405737704918033
    RT_ICON0x14fe00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.349906191369606
    RT_ICON0x160880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.2425311203319502
    RT_ICON0x186300x4f64PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9969986223184413
    RT_GROUP_ICON0x1d5940x4cdata0.75
    RT_VERSION0x1d5e00x334data0.4353658536585366
    RT_MANIFEST0x1d9140xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

    Imports

    DLLImport
    kernel32.dllGetModuleHandleA
    mscoree.dll_CorExeMain

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 27, 2024 14:53:42.075503111 CET1.1.1.1192.168.2.110x64baNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Dec 27, 2024 14:53:42.075503111 CET1.1.1.1192.168.2.110x64baNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly