Windows Analysis Report SignerLib.exe
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira: |
Source: | Static PE information: |
Source: | Process Stats: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Anti Debugging: |
---|
Found potential dummy code loops (likely to delay analysis) | Show sources |
Source: | Process Stats: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Memory allocated: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | Virtualization/Sandbox Evasion11 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Virtualization/Sandbox Evasion11 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Software Packing1 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
16% | Virustotal | Browse | ||
17% | ReversingLabs | Win32.Trojan.Generic |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/ATRAPS.Gen4 | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 441008 |
Start date: | 27.06.2021 |
Start time: | 19:33:55 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 16s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | SignerLib.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal52.evad.winEXE@1/0@0/0 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.591342929980768 |
TrID: |
|
File name: | SignerLib.exe |
File size: | 7115776 |
MD5: | 796b3e4674b68b33c906ce32c3275d83 |
SHA1: | af8dc103b73c194816743ee22023a3cee934ac54 |
SHA256: | afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd |
SHA512: | 1c47a540582e4030a5e4ffd91df559936f3e585d8e679eb4cf65a03740c35ac2f27126b21af107b08c33b301d6626ff8296be1789ee7638077fcd4ae451cd50c |
SSDEEP: | 196608:FaSSW6I52i0ezA2avJ25OjX7qo+YDuTNROilLZGfNaSvY9P0QmXSSZINaWMFUtnr:gSS6/3ahKOjrqquTNROilLZoazsQmrZ0 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p....C...C...C...B...C...BS..C...B...Cg..B...Cg..B...Cg..B...C...B...C...C...C...C...C@..B...CRich...C........PE..L......`... |
File Icon |
---|
Icon Hash: | 3636b5a5a6b5b112 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0xaafe69 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | TERMINAL_SERVER_AWARE, DYNAMIC_BASE |
Time Stamp: | 0x60D5FB1C [Fri Jun 25 15:49:48 2021 UTC] |
TLS Callbacks: | 0xaa5970 |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | b4a4f42eeacc77c5d3caaa7d5ec68819 |
Entrypoint Preview |
---|
Instruction |
---|
call 00007F5D548C5312h |
jmp 00007F5D548C4E39h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ebx |
push esi |
mov eax, dword ptr [esp+18h] |
or eax, eax |
jne 00007F5D548C4FDAh |
mov ecx, dword ptr [esp+14h] |
mov eax, dword ptr [esp+10h] |
xor edx, edx |
div ecx |
mov ebx, eax |
mov eax, dword ptr [esp+0Ch] |
div ecx |
mov edx, ebx |
jmp 00007F5D548C5003h |
mov ecx, eax |
mov ebx, dword ptr [esp+14h] |
mov edx, dword ptr [esp+10h] |
mov eax, dword ptr [esp+0Ch] |
shr ecx, 1 |
rcr ebx, 1 |
shr edx, 1 |
rcr eax, 1 |
or ecx, ecx |
jne 00007F5D548C4FB6h |
div ebx |
mov esi, eax |
mul dword ptr [esp+18h] |
mov ecx, eax |
mov eax, dword ptr [esp+14h] |
mul esi |
add edx, ecx |
jc 00007F5D548C4FD0h |
cmp edx, dword ptr [esp+10h] |
jnbe 00007F5D548C4FCAh |
jc 00007F5D548C4FC9h |
cmp eax, dword ptr [esp+0Ch] |
jbe 00007F5D548C4FC3h |
dec esi |
xor edx, edx |
mov eax, esi |
pop esi |
pop ebx |
retn 0010h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push ecx |
lea ecx, dword ptr [esp+04h] |
sub ecx, eax |
sbb eax, eax |
not eax |
and ecx, eax |
mov eax, esp |
and eax, FFFFF000h |
cmp ecx, eax |
jc 00007F5D548C4FCEh |
mov eax, ecx |
pop ecx |
xchg eax, esp |
mov eax, dword ptr [eax] |
mov dword ptr [esp], eax |
ret |
sub eax, 00001000h |
test dword ptr [eax], eax |
jmp 00007F5D548C4FA9h |
push ebp |
mov ebp, esp |
mov eax, dword ptr [ebp+08h] |
push esi |
mov ecx, dword ptr [eax+3Ch] |
add ecx, eax |
movzx eax, word ptr [ecx+14h] |
lea edx, dword ptr [ecx+18h] |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x6c740c | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x6ca000 | 0x51c | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6cb000 | 0x1cc0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x6c6c0c | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x6c6d00 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x6c6c28 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x6be000 | 0x164 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6bc2e7 | 0x6bc400 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x6be000 | 0x9c4a | 0x9e00 | False | 0.443482990506 | data | 5.36754570285 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x6c8000 | 0x139c | 0xa00 | False | 0.14453125 | data | 1.86819954265 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x6ca000 | 0x51c | 0x600 | False | 0.503255208333 | data | 4.62197862235 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x6cb000 | 0x1cc0 | 0x1e00 | False | 0.760026041667 | GLS_BINARY_LSB_FIRST | 6.51987828401 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0x6ca0a0 | 0x468 | GLS_BINARY_LSB_FIRST | English | United States |
RT_GROUP_ICON | 0x6ca508 | 0x14 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetCommandLineA, GetTickCount, GetLastError, GetVersion, GetCurrentProcess, GetProcessHeap, GetEnvironmentStrings, VirtualAlloc, GetSystemInfo, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, GetCurrentThread, RtlCaptureContext, ReleaseMutex, GetCurrentDirectoryW, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, TlsAlloc, GetModuleHandleW, FormatMessageW, InitializeCriticalSection, TryEnterCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, HeapFree, HeapReAlloc, AddVectoredExceptionHandler, SetThreadStackGuarantee, CreateFileW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, RtlUnwind, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, HeapSize, FlushFileBuffers, GetConsoleCP, SetFilePointerEx, DecodePointer |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:34:41 |
Start date: | 27/06/2021 |
Path: | C:\Users\user\Desktop\SignerLib.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1220000 |
File size: | 7115776 bytes |
MD5 hash: | 796B3E4674B68B33C906CE32C3275D83 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 0% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 0% |
Total number of Nodes: | 2 |
Total number of Limit Nodes: | 0 |
Graph
Callgraph |
---|
Executed Functions |
---|
Function 012211C9, Relevance: 1.5, APIs: 1, Instructions: 2COMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|