Analysis Report AnyDesk (2).exe
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file |
Source: | Virustotal: | Perma Link |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
PE file contains section with special chars |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Classification label: |
Source: | Mutant created: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Malware Analysis System Evasion: |
---|
Query firmware table information (likely to detect VMs) |
Source: | System information queried: | Jump to behavior |
Tries to detect sandboxes / dynamic malware analysis system (registry check) |
Source: | File opened: | Jump to behavior |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior | ||
Source: | Registry key queried: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: |
Source: | System information queried: | Jump to behavior |
Anti Debugging: |
---|
Hides threads from debuggers |
Source: | Thread information set: | Jump to behavior |
Tries to detect sandboxes and other dynamic analysis tools (window names) |
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: | ||
Source: | Open window title or class name: |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection2 | Virtualization/Sandbox Evasion33 | OS Credential Dumping | Security Software Discovery53 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Software Packing2 | LSASS Memory | Virtualization/Sandbox Evasion33 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | System Information Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
17% | Virustotal | Browse |
No Antivirus matches |
---|
No Antivirus matches |
---|
No Antivirus matches |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
No contacted domains info |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 381569 |
Start date: | 03.04.2021 |
Start time: | 22:40:19 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | AnyDesk (2).exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.evad.winEXE@2/1@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
No simulations |
---|
No context |
---|
No context |
---|
No context |
---|
No context |
---|
No context |
---|
Process: | C:\Users\user\Desktop\AnyDesk (2).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34 |
Entropy (8bit): | 3.9176264438733592 |
Encrypted: | false |
SSDEEP: | 3:c+F1U8F4vn:dF1U+in |
MD5: | BE2E0502C0A6B48E474C3C69D7734C19 |
SHA1: | 867608F823A31436D00AD78FECC7DF5108A14B24 |
SHA-256: | DFA8FF25EFC35AFA0E8D7B988868C999CB6CA639DB56DC32415808F5446B0E99 |
SHA-512: | 4C8F3F100DB25A7A90E30B4057A5A8A6A84368BBA6BF14B5C483FF388881C928410CD3C94E5EE807708368321A513BBE20DCCCA87A309AFB1BBF60A13C6CE7AF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.966378356211286 |
TrID: |
|
File name: | AnyDesk (2).exe |
File size: | 5944848 |
MD5: | 0b4ebd7fc0fc37a5f64d5c1ad3247ef8 |
SHA1: | f5e3587a93a0dd4ddff0d2ca75577f5719763a51 |
SHA256: | 9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb |
SHA512: | 33abcac9edc9f672a1eaffbe9f9ccb3dab2cdc829548edbf389cde122d49e7c9d407c778c81d26b00ab9ac62a72c3f6700fed14f48812954b4a345e722f74740 |
SSDEEP: | 98304:jw2asSqTc42CcE53Fj5v0JLpzF0cMpc3OUQUchbOAwuMZBBhjEYN4uZCv:EAfl5VtvOpzm6pvchaAFEFfS |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..............y.............................................j...................!...p.......#.......#.........}.....#...... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
General | |
---|---|
Entrypoint: | 0x140a7a1b8 |
Entrypoint Section: | .boot |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA |
Time Stamp: | 0x6068C9A6 [Sat Apr 3 20:01:42 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | a9d14bb684d1f510d1683e48b1f609d3 |
Instruction |
---|
call 00007F3FACC50127h |
inc ecx |
push edx |
dec ecx |
mov edx, esp |
inc ecx |
push edx |
dec ecx |
mov esi, dword ptr [edx+10h] |
dec ecx |
mov edi, dword ptr [edx+20h] |
cld |
mov dl, 80h |
mov al, byte ptr [esi] |
dec eax |
inc esi |
mov byte ptr [edi], al |
dec eax |
inc edi |
mov ebx, 00000002h |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
jnc 00007F3FACC4FF86h |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
jnc 00007F3FACC50000h |
xor eax, eax |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
jnc 00007F3FACC500A8h |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
adc eax, eax |
je 00007F3FACC4FFABh |
push edi |
mov eax, eax |
dec eax |
sub edi, eax |
mov al, byte ptr [edi] |
pop edi |
mov byte ptr [edi], al |
dec eax |
inc edi |
mov ebx, 00000002h |
jmp 00007F3FACC4FF2Ah |
mov eax, 00000001h |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
adc eax, eax |
add dl, dl |
jne 00007F3FACC4FFA9h |
mov dl, byte ptr [esi] |
dec eax |
inc esi |
adc dl, dl |
jc 00007F3FACC4FF88h |
sub eax, ebx |
mov ebx, 00000001h |
jne 00007F3FACC4FFD0h |
mov ecx, 00000001h |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xb334c | 0x358 | .imports |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xb5000 | 0x524 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0xa6ca20 | 0x5688 | .themida |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0xfd4000 | 0x10 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xb4018 | 0x28 | .tls |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
0x1000 | 0x84377 | 0x3f1fe | False | 1.00033261396 | data | 7.98367439627 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ | |
0x86000 | 0x216ba | 0xdc8f | False | 0.999787471441 | data | 7.96733701388 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0xa8000 | 0x2b28 | 0x2a1 | False | 1.01634472511 | data | 7.5505744833 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ | |
0xab000 | 0x52bc | 0x2fa3 | False | 0.952603526035 | data | 7.63645540104 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0xb1000 | 0x528 | 0x290 | False | 1.01676829268 | data | 7.61941636789 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | |
0xb2000 | 0x63c | 0x419 | False | 1.01048617731 | data | 7.58669440589 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | |
.imports | 0xb3000 | 0x1000 | 0x800 | False | 0.29736328125 | data | 3.50135557121 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.tls | 0xb4000 | 0x1000 | 0x200 | False | 0.0625 | data | 0.272849765702 | IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xb5000 | 0x1000 | 0x600 | False | 0.419270833333 | data | 3.838668413 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.themida | 0xb6000 | 0x9c4000 | 0x0 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.boot | 0xa7a000 | 0x559400 | 0x559400 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.reloc | 0xfd4000 | 0x1000 | 0x10 | False | 1.5 | GLS_BINARY_LSB_FIRST | 2.47460175271 | IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_VERSION | 0xb5090 | 0x2fc | data | English | United States |
RT_MANIFEST | 0xb539c | 0x188 | XML 1.0 document text | English | United States |
DLL | Import |
---|---|
kernel32.dll | GetModuleHandleA |
WS2_32.dll | getsockopt |
Normaliz.dll | IdnToAscii |
WLDAP32.dll | |
CRYPT32.dll | CertAddCertificateContextToStore |
ntdll.dll | RtlCaptureContext |
USER32.dll | MessageBoxA |
ADVAPI32.dll | CryptReleaseContext |
SHELL32.dll | ShellExecuteA |
MSVCP140.dll | _Xtime_get_ticks |
VCRUNTIME140_1.dll | __CxxFrameHandler4 |
VCRUNTIME140.dll | __std_exception_destroy |
api-ms-win-crt-runtime-l1-1-0.dll | system |
api-ms-win-crt-stdio-l1-1-0.dll | fsetpos |
api-ms-win-crt-filesystem-l1-1-0.dll | _fstat64 |
api-ms-win-crt-convert-l1-1-0.dll | strtoull |
api-ms-win-crt-environment-l1-1-0.dll | getenv |
api-ms-win-crt-math-l1-1-0.dll | ceil |
api-ms-win-crt-string-l1-1-0.dll | _strdup |
api-ms-win-crt-utility-l1-1-0.dll | rand |
api-ms-win-crt-heap-l1-1-0.dll | malloc |
api-ms-win-crt-time-l1-1-0.dll | _time64 |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
Description | Data |
---|---|
LegalCopyright | Copyright (C) 2019 |
InternalName | svchost.exe |
FileVersion | 10.0.17134.556 |
ProductName | Microsoft Windows Operating System |
ProductVersion | 10.0.17134.556 |
FileDescription | Host Process for Windows Services |
OriginalFilename | svchost.exe |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
Start time: | 22:41:05 |
Start date: | 03/04/2021 |
Path: | C:\Users\user\Desktop\AnyDesk (2).exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff748d00000 |
File size: | 5944848 bytes |
MD5 hash: | 0B4EBD7FC0FC37A5F64D5C1AD3247EF8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
Start time: | 22:41:06 |
Start date: | 03/04/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Timing Activities
Windows UI Activities
LPC Port Activities
Disassembly |
---|
Code Analysis |
---|