Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ROtw3Hvdow.exe

Overview

General Information

Sample name:ROtw3Hvdow.exe
renamed because original name is a hash value
Original sample name:470d5ca56eed0c86a458bddf5469e4f2.exe
Analysis ID:1582989
MD5:470d5ca56eed0c86a458bddf5469e4f2
SHA1:20771f1731aaf27a88e639b606cbf20162ca8fbe
SHA256:c29afe12d83444fcad6ab15b4fc922819e9131776fdfcfb13f2580ea334013ad
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ROtw3Hvdow.exeVirustotal: Detection: 23%Perma Link
Source: ROtw3Hvdow.exeReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.9% probability
Machine Learning detection for sample
Source: ROtw3Hvdow.exeJoe Sandbox ML: detected
Source: ROtw3Hvdow.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ROtw3Hvdow.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ROtw3Hvdow.exeStatic PE information: No import functions for PE file found
Source: ROtw3Hvdow.exeStatic PE information: Data appended to the last section found
Source: ROtw3Hvdow.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@0/0@0/0
Source: ROtw3Hvdow.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ROtw3Hvdow.exeVirustotal: Detection: 23%
Source: ROtw3Hvdow.exeReversingLabs: Detection: 26%
Source: ROtw3Hvdow.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ROtw3Hvdow.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: ROtw3Hvdow.exeStatic file information: File size 2124819 > 1048576
Source: ROtw3Hvdow.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x22ea00
Source: ROtw3Hvdow.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ROtw3Hvdow.exe24%VirustotalBrowse
ROtw3Hvdow.exe26%ReversingLabs
ROtw3Hvdow.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1582989
    Start date and time:2025-01-01 10:14:11 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 26s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:1
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:ROtw3Hvdow.exe
    renamed because original name is a hash value
    Original Sample Name:470d5ca56eed0c86a458bddf5469e4f2.exe
    Detection:MAL
    Classification:mal56.winEXE@0/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis

    Errors

    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.45
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    bg.microsoft.map.fastly.netvfrcxq.ps1Get hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
    • 199.232.210.172
    trwsfg.ps1Get hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
    • 199.232.214.172
    vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
    • 199.232.210.172
    rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
    • 199.232.210.172
    2VsJzzWTpA.exeGet hashmaliciousCobaltStrikeBrowse
    • 199.232.214.172
    2VsJzzWTpA.exeGet hashmaliciousUnknownBrowse
    • 199.232.210.172
    YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
    • 199.232.210.172
    O782uurN5d.exeGet hashmaliciousDCRatBrowse
    • 199.232.210.172
    bKxtUOPLtR.exeGet hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, VenomRATBrowse
    • 199.232.210.172

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
    Entropy (8bit):5.017004789024785
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.94%
    • Win16/32 Executable Delphi generic (2074/23) 0.02%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:ROtw3Hvdow.exe
    File size:2'124'819 bytes
    MD5:470d5ca56eed0c86a458bddf5469e4f2
    SHA1:20771f1731aaf27a88e639b606cbf20162ca8fbe
    SHA256:c29afe12d83444fcad6ab15b4fc922819e9131776fdfcfb13f2580ea334013ad
    SHA512:867aefa611f354c24944fd086fbb786ccc6a66cc351687aa883ef228095265bced5ae0fb8abd18d9318dea0b0b0eb551ed922201855db1d6bef404533b127885
    SSDEEP:24576:wqDdns3FYYhWxL3rc/+rhm+qx6GuQ5qGPVmTy9xMNWgJ/AICqQ9pEsePeHMSPs2L:1iDl
    TLSH:20A58DA2B09B48D1F5079FB1C15AB9E00B7171A3AEDBD52F234D33546F6BB993404A0B
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.f.................."...........#.. ... #...@.. .......................`#...........`................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x6309be
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Time Stamp:0x66F94D15 [Sun Sep 29 12:50:29 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2309700x4b.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2320000x5b8.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2340000xc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x20000x22e9c40x22ea006fb30215f59fea86d62b453e0d8684a3unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x2320000x5b80x600d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x2340000xc0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 1, 2025 10:14:55.573143005 CET1.1.1.1192.168.2.90xf26cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
    Jan 1, 2025 10:14:55.573143005 CET1.1.1.1192.168.2.90xf26cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly