Play interactive tour

Edit tour

Windows Analysis Report SignerLib.exe

Overview

General Information

Sample Name:	SignerLib.exe
Analysis ID:	441008
MD5:	796b3e4674b68b33c906ce32c3275d83
SHA1:	af8dc103b73c194816743ee22023a3cee934ac54
SHA256:	afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

PE file contains strange resources

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SignerLib.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\SignerLib.exe' MD5: 796B3E4674B68B33C906CE32C3275D83)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SignerLib.exe	Virustotal: Detection: 15%			Perma Link
Source: SignerLib.exe	ReversingLabs: Detection: 17%

Source: 0.0.SignerLib.exe.1220000.0.unpack

Avira: Label: TR/ATRAPS.Gen4

Source: SignerLib.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Users\user\Desktop\SignerLib.exe

Process Stats: CPU usage > 98%

Source: SignerLib.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SignerLib.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: classification engine

Classification label: mal52.evad.winEXE@1/0@0/0

Source: SignerLib.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SignerLib.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SignerLib.exe	Virustotal: Detection: 15%
Source: SignerLib.exe	ReversingLabs: Detection: 17%

Source: SignerLib.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SignerLib.exe

Static file information: File size 7115776 > 1048576

Source: SignerLib.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6bc400

Source: SignerLib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SignerLib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SignerLib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SignerLib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SignerLib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SignerLib.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SignerLib.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SignerLib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SignerLib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SignerLib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SignerLib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SignerLib.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SignerLib.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SignerLib.exe

Memory allocated: page read and write | page guard

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SignerLib.exe	16%	Virustotal		Browse
SignerLib.exe	17%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.SignerLib.exe.1220000.0.unpack	100%	Avira	TR/ATRAPS.Gen4		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	441008
Start date:	27.06.2021
Start time:	19:33:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SignerLib.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.591342929980768
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SignerLib.exe
File size:	7115776
MD5:	796b3e4674b68b33c906ce32c3275d83
SHA1:	af8dc103b73c194816743ee22023a3cee934ac54
SHA256:	afb5cbe324865253c7a9dcadbe66c66746ea360f0cd184a2f4e1bbf104533ccd
SHA512:	1c47a540582e4030a5e4ffd91df559936f3e585d8e679eb4cf65a03740c35ac2f27126b21af107b08c33b301d6626ff8296be1789ee7638077fcd4ae451cd50c
SSDEEP:	196608:FaSSW6I52i0ezA2avJ25OjX7qo+YDuTNROilLZGfNaSvY9P0QmXSSZINaWMFUtnr:gSS6/3ahKOjrqquTNROilLZoazsQmrZ0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p....C...C...C...B...C...BS..C...B...Cg..B...Cg..B...Cg..B...C...B...C...C...C...C...C@..B...CRich...C........PE..L......`...

File Icon


Icon Hash:	3636b5a5a6b5b112

Static PE Info

General
Entrypoint:	0xaafe69
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE
Time Stamp:	0x60D5FB1C [Fri Jun 25 15:49:48 2021 UTC]
TLS Callbacks:	0xaa5970
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b4a4f42eeacc77c5d3caaa7d5ec68819

Entrypoint Preview

Instruction
call 00007F5D548C5312h
jmp 00007F5D548C4E39h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
push esi
mov eax, dword ptr [esp+18h]
or eax, eax
jne 00007F5D548C4FDAh
mov ecx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+0Ch]
div ecx
mov edx, ebx
jmp 00007F5D548C5003h
mov ecx, eax
mov ebx, dword ptr [esp+14h]
mov edx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007F5D548C4FB6h
div ebx
mov esi, eax
mul dword ptr [esp+18h]
mov ecx, eax
mov eax, dword ptr [esp+14h]
mul esi
add edx, ecx
jc 00007F5D548C4FD0h
cmp edx, dword ptr [esp+10h]
jnbe 00007F5D548C4FCAh
jc 00007F5D548C4FC9h
cmp eax, dword ptr [esp+0Ch]
jbe 00007F5D548C4FC3h
dec esi
xor edx, edx
mov eax, esi
pop esi
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+04h]
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, FFFFF000h
cmp ecx, eax
jc 00007F5D548C4FCEh
mov eax, ecx
pop ecx
xchg eax, esp
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
ret
sub eax, 00001000h
test dword ptr [eax], eax
jmp 00007F5D548C4FA9h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6c740c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6ca000	0x51c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6cb000	0x1cc0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6c6c0c	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x6c6d00	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6c6c28	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6be000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6bc2e7	0x6bc400	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6be000	0x9c4a	0x9e00	False	0.443482990506	data	5.36754570285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6c8000	0x139c	0xa00	False	0.14453125	data	1.86819954265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x6ca000	0x51c	0x600	False	0.503255208333	data	4.62197862235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6cb000	0x1cc0	0x1e00	False	0.760026041667	GLS_BINARY_LSB_FIRST	6.51987828401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x6ca0a0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x6ca508	0x14	data	English	United States

Imports

DLL

Import

KERNEL32.dll

GetCommandLineA, GetTickCount, GetLastError, GetVersion, GetCurrentProcess, GetProcessHeap, GetEnvironmentStrings, VirtualAlloc, GetSystemInfo, GetModuleHandleA, GetProcAddress, TlsGetValue, TlsSetValue, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, SetLastError, GetEnvironmentVariableW, GetStdHandle, GetConsoleMode, WriteFile, WriteConsoleW, GetCurrentThread, RtlCaptureContext, ReleaseMutex, GetCurrentDirectoryW, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, CloseHandle, TlsAlloc, GetModuleHandleW, FormatMessageW, InitializeCriticalSection, TryEnterCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapAlloc, HeapFree, HeapReAlloc, AddVectoredExceptionHandler, SetThreadStackGuarantee, CreateFileW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, TerminateProcess, RtlUnwind, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, HeapSize, FlushFileBuffers, GetConsoleCP, SetFilePointerEx, DecodePointer

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SignerLib.exe PID: 6076 Parent PID: 5708

General

Start time:	19:34:41
Start date:	27/06/2021
Path:	C:\Users\user\Desktop\SignerLib.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SignerLib.exe'
Imagebase:	0x1220000
File size:	7115776 bytes
MD5 hash:	796B3E4674B68B33C906CE32C3275D83
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SignerLib.exe PID: 6076 Parent PID: 5708 SignerLib.exeCOMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 012211C9, Relevance: 1.5, APIs: 1, Instructions: 2
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsA.KERNEL32 ref: 012211C9

Memory Dump Source

Source File: 00000000.00000002.581128027.0000000001221000.00000020.00020000.sdmp, Offset: 01220000, based on PE: true

Associated: 00000000.00000002.580658094.0000000001220000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_SignerLib.jbxd

Similarity

API ID: EnvironmentStrings
String ID:
API String ID: 2794021878-0
Opcode ID: 089d9486223b67812fce7978404d60285dd6758b3b94393d3e5b724ad1855514
Instruction ID: 620160ef96846537967366a5139775d1f73df7cc9a259a855fb558e7b8096b32
Opcode Fuzzy Hash: 089d9486223b67812fce7978404d60285dd6758b3b94393d3e5b724ad1855514
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SignerLib.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Malware Analysis System Evasion:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SignerLib.exe PID: 6076 Parent PID: 5708

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SignerLib.exe PID: 6076 Parent PID: 5708 SignerLib.exeCOMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 012211C9, Relevance: 1.5, APIs: 1, Instructions: 2COMMON

Control-flow Graph

Non-executed Functions

Function 012211C9, Relevance: 1.5, APIs: 1, Instructions: 2
COMMON