Edit tour
Windows
Analysis Report
250427-vgz5havsez.bin.exe
Overview
General Information
| Sample name: | 250427-vgz5havsez.bin.exe |
| Analysis ID: | 1675551 |
| MD5: | d94c95cc1448ff398e7dd256183637ca |
| SHA1: | 9ed8845e48b686e186c1d3006f4c24c48e424eb9 |
| SHA256: | 231e5e6f7aa849d4644b9f4cee99c197fbf7d84a8e7c1dc7e3103da5114e79da |
| Tags: | user-UNP4CK |
| Infos: |  |
 | |
Detection
| Score: | 80 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Modifies the windows firewall
Creates Visual Basic Runtime Dlls
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
May infect USB drives
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
250427-vgz5havsez.bin.exe (PID: 2284 cmdline: "C:\Users\ user\Deskt op\250427- vgz5havsez .bin.exe" MD5: D94C95CC1448FF398E7DD256183637CA)
- 250427-vgz5havsez.bin.exe (PID: 6804 cmdline:
"C:\Users\ user\Deskt op\250427- vgz5havsez .bin.exe" MD5: D94C95CC1448FF398E7DD256183637CA)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00406036 | |
| Source: | Code function: | 2_2_00406036 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Automated click: | ||
| Source: | Automated click: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_0040405B | |
| Source: | Code function: | 0_2_00404C5B | |
| Source: | Code function: | 0_2_00404C6F | |
| Source: | Code function: | 0_2_0040406F | |
| Source: | Code function: | 0_2_00404083 | |
| Source: | Code function: | 0_2_00404C83 | |
| Source: | Code function: | 0_2_0040401F | |
| Source: | Code function: | 0_2_00404C1F | |
| Source: | Code function: | 0_2_00404033 | |
| Source: | Code function: | 0_2_00404C33 | |
| Source: | Code function: | 0_2_00404047 | |
| Source: | Code function: | 0_2_00404C47 | |
| Source: | Code function: | 0_2_004040D3 | |
| Source: | Code function: | 0_2_004058D3 | |
| Source: | Code function: | 0_2_004034D7 | |
| Source: | Code function: | 0_2_004040E7 | |
| Source: | Code function: | 0_2_004058E7 | |
| Source: | Code function: | 0_2_004034EB | |
| Source: | Code function: | 0_2_004040FB | |
| Source: | Code function: | 0_2_004058FB | |
| Source: | Code function: | 0_2_004034FF | |
| Source: | Code function: | 0_2_0040410F | |
| Source: | Code function: | 0_2_0040590F | |
| Source: | Code function: | 0_2_00404097 | |
| Source: | Code function: | 0_2_00404C97 | |
| Source: | Code function: | 0_2_0040349B | |
| Source: | Code function: | 0_2_004040AB | |
| Source: | Code function: | 0_2_004058AB | |
| Source: | Code function: | 0_2_004034AF | |
| Source: | Code function: | 0_2_004040BF | |
| Source: | Code function: | 0_2_004058BF | |
Boot Survival | |
|---|
| Source: | Key value created or modified: | Jump to behavior | ||
| Source: | Registry key created: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Icon embedded in binary file: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | Registry key created or modified: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 1 Replication Through Removable Media | Windows Management Instrumentation | 1 Windows Service | 1 Windows Service | 11 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 11 Registry Run Keys / Startup Folder | 2 Process Injection | 1 Disable or Modify Tools | LSASS Memory | 1 Peripheral Device Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 11 Registry Run Keys / Startup Folder | 2 Process Injection | Security Account Manager | 1 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | 1 DLL Side-Loading | 1 Obfuscated Files or Information | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 79% | Virustotal | Browse | ||
| 81% | ReversingLabs | Win32.Backdoor.DarkDDoSer | ||
| 100% | Avira | BDS/Backdoor.Gen |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1675551 |
| Start date and time: | 2025-04-27 19:04:25 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 21s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 12 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 250427-vgz5havsez.bin.exe |
| Detection: | MAL |
| Classification: | mal80.evad.winEXE@2/12@0/0 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, SIHClient.exe, Sgrm Broker.exe, conhost.exe, svcho st.exe - Excluded IPs from analysis (wh
itelisted): 20.12.23.50, 184.8 5.78.223 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, slscr.update.microsoft.com , ctldl.windowsupdate.com, c.p ki.goog, fe3cr.delivery.mp.mic rosoft.com - Not all processes where analyz
ed, report is missing behavior information
| Time | Type | Description |
|---|---|---|
| 19:05:21 | Autostart | |
| 19:05:29 | Autostart |
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9327957768451163 |
| Encrypted: | false |
| SSDEEP: | 24:rAsuxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:ruBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 4384F0ECE7DF3DFB813518DFCBE344C2 |
| SHA1: | D3C6E16B413A9B0F873310F8E9C4D4C866A68AED |
| SHA-256: | E7D280EE4218CFAE2A1483767DC8883618FABC5802C453315FB6CB15DA3D7018 |
| SHA-512: | DBB6A193365FD4F3B4390ABA9F6CF9529B3B9E03A893C332C8CFE933D34BB990D0C92294688128763CB64BB61BD4290083C7FC1F28797B9ABC9891525D20A1AC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.932791374476163 |
| Encrypted: | false |
| SSDEEP: | 24:rEuxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:r7BEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 81EC50F547FD1D6B19DE917BCDAB2F87 |
| SHA1: | 5F7893CF7884F0B367CE10B9880A6684E1B808CF |
| SHA-256: | F7D5D27ECC29FA589744689D05BBFA746602CEA380233821D36E32DA5797107F |
| SHA-512: | 258C9B4D6342F3B267147177F21F315765CD05B98FE298F8C5E63CEFA0EA01ED05E1B5C1B49724F761FFB2987E4A656C9A94697CE230C5FA5020A95E4A6141E9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9323444792422575 |
| Encrypted: | false |
| SSDEEP: | 24:ro4uxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:roXBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 052B37E41769BA7FE2145C2503DE44B6 |
| SHA1: | C1E8EB74F4FB4DA4EC5A058EC17BA57E26A5B97C |
| SHA-256: | 00B467D7F58B0029E25108FDA862B0BDF1E79455C7B90DB1D86A13EDE9D18158 |
| SHA-512: | CDDABA829411D9FDC2E7925E1C9FD135621BF5BE0AC157A07516961F453B645F94A3B79E2165C3D88398AF57224BA25A418059CABFFFDE21EB49C54EC50B17A8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.932791374476163 |
| Encrypted: | false |
| SSDEEP: | 24:rEuxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:r7BEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 81EC50F547FD1D6B19DE917BCDAB2F87 |
| SHA1: | 5F7893CF7884F0B367CE10B9880A6684E1B808CF |
| SHA-256: | F7D5D27ECC29FA589744689D05BBFA746602CEA380233821D36E32DA5797107F |
| SHA-512: | 258C9B4D6342F3B267147177F21F315765CD05B98FE298F8C5E63CEFA0EA01ED05E1B5C1B49724F761FFB2987E4A656C9A94697CE230C5FA5020A95E4A6141E9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.933140688815233 |
| Encrypted: | false |
| SSDEEP: | 24:r/uxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:rqBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 764F526FFB4A3AA48212A1DE6E0F5381 |
| SHA1: | A4BAC3CCEE33FC3DF3CE8634EABE0BEFE569B4CE |
| SHA-256: | F5B747A2F4B7ED3A39F53FE112230A2886063C59DE0A2FDD0521D0E19EE1FABF |
| SHA-512: | 2C5514DDC4D8B4C0B1A0DC66B9F5A59A67C06F3E9A5A4918ED598F82027240F5F86F7AF14F4CAE833A3A2472B7C75DE4E93D5A4E035513268A0040EF78619D36 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9321106460071027 |
| Encrypted: | false |
| SSDEEP: | 24:r74uxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:r7XBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 6F408EDD0A6FB1E0FDFDB939A4A8E28A |
| SHA1: | 8B10CC82DA0A05EEFBEF1C4616740761C59AA0F2 |
| SHA-256: | E6C2A529C50D02EE8C5B992C983E0227B6E9762AEAE3668B01F141E1A4808BB3 |
| SHA-512: | 50EAF8F20D93914A88BA06E8C940B609AA2BD8547957B6D40CF97ED935CD4F887560888648AD8C4CC3334ED806106A2FEFD4C82AAD7B62F6463D89C814A47865 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9318128504100076 |
| Encrypted: | false |
| SSDEEP: | 24:rYuxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:r3BEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | BB340CE1CE16BCCF96F69E43066283AA |
| SHA1: | CEC6826A2F451A4E2EDA903A69BB64010B4344E2 |
| SHA-256: | FC8F7F17A3CA3C81AEA4D68B061A796FE62A8E291AC220E011037DA3744ED1CA |
| SHA-512: | F2CE986129826E7C7089266E9F4034D3ACED40983FF21E00F16123A31CA735DF80D27DB6925C8D7BA19DB1DE6812E58E3C3BE59D46AEE19DFA15DF82501491E8 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9327957768451163 |
| Encrypted: | false |
| SSDEEP: | 24:rAsuxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:ruBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 4384F0ECE7DF3DFB813518DFCBE344C2 |
| SHA1: | D3C6E16B413A9B0F873310F8E9C4D4C866A68AED |
| SHA-256: | E7D280EE4218CFAE2A1483767DC8883618FABC5802C453315FB6CB15DA3D7018 |
| SHA-512: | DBB6A193365FD4F3B4390ABA9F6CF9529B3B9E03A893C332C8CFE933D34BB990D0C92294688128763CB64BB61BD4290083C7FC1F28797B9ABC9891525D20A1AC |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.933410895520493 |
| Encrypted: | false |
| SSDEEP: | 24:r/uxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:rqBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 7618ABB9A83DE8EF543E399A0444A85E |
| SHA1: | C9FFFA86692192A63BD411BAC34BA8D414BBAEDC |
| SHA-256: | E7650DECC99669E806CD2A71D19416765F7EE446F3027FFEA699F3CDBC37858C |
| SHA-512: | 2C90512F22F7590F30D2F877B1239958C1CAA7A7E2BCE1D46DE39C53EEA89624E0C284CD3A2C84963434E82C1C87A936CAE5E87F67BCF7501BED5A0515708620 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9329768677427155 |
| Encrypted: | false |
| SSDEEP: | 24:r6uxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:rlBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 61847DB7002E219139BDF6C6B44387EC |
| SHA1: | BD5684ABCB91217D8B1B1F75A5D2552B93066405 |
| SHA-256: | 357EF83D1662810E0747EA71E3F3F74353A385F9453B398E1A218A976839A52E |
| SHA-512: | FB9BF81078957F11CB0428203D0FE42F5363FCAE94F9A43F2B08771E7746F3EC79B331D1718711B6574BC1F0187D9E71532E173B723570F2E335B1EE20CF79E9 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9327957768451163 |
| Encrypted: | false |
| SSDEEP: | 24:r3uxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:riBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | 04F7CC0D1CFA6079E9A05D51CD36E591 |
| SHA1: | 8BB11F2113E4D4619E8BE876CF994877F8DFFA0B |
| SHA-256: | 68E6B92334BF8477E03381A2A152A548587537EFF8F1458A203CD434C1E2B7B7 |
| SHA-512: | BE81FEA5EF1EB98567D2FFFD7AB40C06CE349D5242A1E2DC231B34D66FE8BF6F8C1426E378BD8AB34AE84E8E835C5569C565B2B0C524C06CF80417E7A78E78BE |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4608 |
| Entropy (8bit): | 2.9329595979176344 |
| Encrypted: | false |
| SSDEEP: | 24:rpuxBu+E3lOC9ZKoGNUWrYAeb7Ryrwm9YwelFgu8LSHMf0tvLLv9:rQBEVhaoSbYAeb7Erw7Hlm5f0Vv |
| MD5: | E3F79BB286B354AAC442025C8355E2E8 |
| SHA1: | 434E0756B8D606750BB09AC5887F6BE407766147 |
| SHA-256: | 8902F5A555F11FFCC136883AD886B802C5214D3B8978EB7D1C963B3C5875602A |
| SHA-512: | B9462DD0C4C04B3203278DCC843C089F9C93D085F6EDF51AD288E23C81147A94153BB45317892C24543B49179F7959C96045A858539D6CC278DCCA4AEC1CA686 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 4.942028094043463 |
| TrID: |
|
| File name: | 250427-vgz5havsez.bin.exe |
| File size: | 143'360 bytes |
| MD5: | d94c95cc1448ff398e7dd256183637ca |
| SHA1: | 9ed8845e48b686e186c1d3006f4c24c48e424eb9 |
| SHA256: | 231e5e6f7aa849d4644b9f4cee99c197fbf7d84a8e7c1dc7e3103da5114e79da |
| SHA512: | c16c6534448441ed18005d4b8266d951e881d2dd61492c809bbd3111c4e5b8a68ad655308ea4fb17cdb08cf7071ecdec0f557ab67a132751ce8a28f4d0997f36 |
| SSDEEP: | 3072:gUZFmSXCmjaNIiL95R7o91y0t/GwJAzFkG:zZgJOy+G3Fk |
| TLSH: | 2CE31B0677D24211E2761B722AFBCAA15B73BC14AF578B1F2244237D1C32E618D66F27 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....{I.....................P............... ....@................ |
 | |
| Icon Hash: | 3686d0ca42720e01 |
| Entrypoint: | 0x401204 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x497BF218 [Sun Jan 25 05:01:12 2009 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | ed328cf0157c78f2ff3b7adbe6e53cee |
| Instruction |
|---|
| push 004013DCh |
| call 00007FFBE8FC5573h |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| xor byte ptr [eax], al |
| add byte ptr [eax], al |
| inc eax |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [ebp-66783401h], bh |
| sub byte ptr [ebp+47h], bl |
| mov edx, 83A97E26h |
| inc esp |
| mul byte ptr [esi+00h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [ecx], al |
| add byte ptr [eax], al |
| add byte ptr [ecx+6Eh], ch |
| sub dword ptr [bx+si], esp |
| inc ecx |
| jnbe 00007FFBE8FC55EBh |
| outsb |
| insb |
| outsd |
| outsd |
| outsb |
| add byte ptr [edx+69h], dh |
| jbe 00007FFBE8FC55E3h |
| je 00007FFBE8FC55E7h |
| and byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [ecx], al |
| add byte ptr [ecx], cl |
| add byte ptr [eax+0000405Bh], bh |
| add byte ptr [eax], al |
| add bh, bh |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x21e24 | 0x28 | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x26000 | 0xb9c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0xd0 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x20fbc | 0x21000 | 41707a8f0d51062baaf866860c17e297 | False | 0.3539151278409091 | data | 5.07833313166156 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .data | 0x22000 | 0x33dc | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x26000 | 0xb9c | 0x1000 | d815aa200e107997b2475178aabf3d8e | False | 0.274658203125 | Windows boot log, header size 0x497bf218, 0x30000 valid bytes | 3.072698765222573 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0x262f4 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | 0.35965703971119134 | ||
| RT_GROUP_ICON | 0x262e0 | 0x14 | data | 1.25 | ||
| RT_VERSION | 0x260f0 | 0x1f0 | MS Windows COFF PowerPC object file | English | United States | 0.5080645161290323 |
| DLL | Import |
|---|---|
| MSVBVM60.DLL | MethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, ProcCallEngine |
| Description | Data |
|---|---|
| Translation | 0x0409 0x04b0 |
| CompanyName | Microsoft |
| ProductName | |
| FileVersion | 1.01 |
| ProductVersion | 1.01 |
| InternalName | BoT |
| OriginalFilename | BoT.exe |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 13:05:17 |
| Start date: | 27/04/2025 |
| Path: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 143'360 bytes |
| MD5 hash: | D94C95CC1448FF398E7DD256183637CA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 13:05:37 |
| Start date: | 27/04/2025 |
| Path: | C:\Users\user\Desktop\250427-vgz5havsez.bin.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 143'360 bytes |
| MD5 hash: | D94C95CC1448FF398E7DD256183637CA |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
| Execution Coverage: | 1.3% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 2 |
| Total number of Limit Nodes: | 0 |
Graph
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Download Yara Rule
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
| Execution Coverage: | 1.3% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 2 |
| Total number of Limit Nodes: | 0 |
Graph
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
