Create Interactive Tour

Windows Analysis Report
https://secure.eicar.org/eicar_com.zip

Overview

General Information

Sample URL:https://secure.eicar.org/eicar_com.zip
Analysis ID:850863
Infos:

Detection

EICAR
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected EICAR
Downloads suspicious files via Chrome

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secure.eicar.org/eicar_com.zip MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • chrome.exe (PID: 1720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1700,i,2335735130976027343,2145712778558125080,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup
SourceRuleDescriptionAuthorStrings
C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmpJoeSecurity_EICARYara detected EICARJoe Security
    C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmpJoeSecurity_EICARYara detected EICARJoe Security
      C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmpJoeSecurity_EICARYara detected EICARJoe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: https://secure.eicar.org/eicar_com.zipVirustotal: Detection: 10%Perma Link
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
        Source: unknownDNS traffic detected: queries for: secure.eicar.org
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
        Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.164
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.227
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95

        System Summary

        barindex
        Source: Yara matchFile source: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp, type: DROPPED
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\eicar_com.zip (copy)Jump to dropped file
        Source: classification engineClassification label: mal60.troj.win@24/5@5/113
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://secure.eicar.org/eicar_com.zip
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1700,i,2335735130976027343,2145712778558125080,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1700,i,2335735130976027343,2145712778558125080,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdater
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
        Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\System32 FullSizeInformation
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath Interception1
        Process Injection
        3
        Masquerading
        OS Credential Dumping1
        System Information Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Process Injection
        LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
        Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        https://secure.eicar.org/eicar_com.zip10%VirustotalBrowse
        https://secure.eicar.org/eicar_com.zip0%Avira URL Cloudsafe
        SourceDetectionScannerLabelLink
        C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        No Antivirus matches
        NameIPActiveMaliciousAntivirus DetectionReputation
        secure.eicar.org
        89.238.73.97
        truefalse
          high
          accounts.google.com
          142.250.185.109
          truefalse
            high
            www.google.com
            142.250.185.68
            truefalse
              high
              clients.l.google.com
              142.250.186.174
              truefalse
                high
                clients2.google.com
                unknown
                unknownfalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  142.250.185.109
                  accounts.google.comUnited States
                  15169GOOGLEUSfalse
                  89.238.73.97
                  secure.eicar.orgGermany
                  34240MANITUDEfalse
                  34.104.35.123
                  unknownUnited States
                  15169GOOGLEUSfalse
                  20.224.254.73
                  unknownUnited States
                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  142.250.186.174
                  clients.l.google.comUnited States
                  15169GOOGLEUSfalse
                  142.250.185.227
                  unknownUnited States
                  15169GOOGLEUSfalse
                  239.255.255.250
                  unknownReserved
                  unknownunknownfalse
                  142.250.181.228
                  unknownUnited States
                  15169GOOGLEUSfalse
                  142.250.186.164
                  unknownUnited States
                  15169GOOGLEUSfalse
                  192.229.221.95
                  unknownUnited States
                  15133EDGECASTUSfalse
                  172.217.16.131
                  unknownUnited States
                  15169GOOGLEUSfalse
                  52.109.52.148
                  unknownUnited States
                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  IP
                  192.168.2.1
                  127.0.0.1
                  Joe Sandbox Version:37.0.0 Beryl
                  Analysis ID:850863
                  Start date and time:2023-04-20 13:25:48 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Sample URL:https://secure.eicar.org/eicar_com.zip
                  Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                  Number of analysed new started processes analysed:4
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:1
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • EGA enabled
                  Analysis Mode:stream
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal60.troj.win@24/5@5/113
                  • Exclude process from analysis (whitelisted): rundll32.exe
                  • Excluded IPs from analysis (whitelisted): 172.217.16.131, 34.104.35.123
                  • Excluded domains from analysis (whitelisted): edgedl.me.gvt1.com, login.live.com, clientservices.googleapis.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtWriteVirtualMemory calls found.
                  File Type:data
                  Category:dropped
                  Size (bytes):576
                  Entropy (8bit):5.056163604018058
                  Encrypted:false
                  SSDEEP:
                  MD5:81E3E6236D32682A9B946C6433F626E3
                  SHA1:38605A469B773C91F6E19F59594D11D9148E750D
                  SHA-256:2FA8EDA40EB9AE4991D7AE415B1A616EBFE4F34E48C434D300D0A17B6F4B25A7
                  SHA-512:0ABCA1C79197F4B7C1B3F9F8B7A43F439534617579FE75ED13645E0054D51EF50C51E1B7DC73112090DAECE87BF25B081E9C268FC8716EFE06331FEE21B025C2
                  Malicious:false
                  Reputation:low
                  Preview:.6...AAAAAAA...AAAAA...A.A.A/ALAAAAAAAAAAAbA5AtA.!.AGA.A.bbA.A`A.].A%A.A...A AHA...AVA.A.n.AKA.A6d.A.A.A6.A~AEA...6.A.A..Ab.A...A...A...An.LA..bA...A..bA..#A..bA5..A...6#.qA.^tA..&A.5.6..A..bA..A...6`.~A.G.6N..A..bA2..A...A6#.A.-.A.#.A...A.#cA...6*#.A.*bA..A...An..A...A..A..bA..A. bA..A.tbA.SAA.AbA.S.A.6.AF..A.L.A`..A...AN.A...A..(A.}.A...A.1.A...A..A...A...AV..A..AQ.yA._.AE.MA...A|.A...AU..A...6...A...6...A.?.6...A.H.A..A.9bAK.XA...A...A...A..DA..A...A.%bAZ.A.;b.q..A.#b...7A...Aw..A68.AAA.AtA.6...........................................................
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                  Category:dropped
                  Size (bytes):184
                  Entropy (8bit):4.960328822686575
                  Encrypted:false
                  SSDEEP:
                  MD5:6CE6F415D8475545BE5BA114F208B0FF
                  SHA1:D27265074C9EAC2E2122ED69294DBC4D7CCE9141
                  SHA-256:2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD
                  SHA-512:D9305862FE0BF552718D19DB43075D88CFFD768974627DB60FA1A90A8D45563E035A6449663B8F66AAC53791D77F37DBB5035159AA08E69FC473972022F80010
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_EICAR, Description: Yara detected EICAR, Source: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp, Author: Joe Security
                  • Rule: JoeSecurity_EICAR, Description: Yara detected EICAR, Source: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp, Author: Joe Security
                  • Rule: JoeSecurity_EICAR, Description: Yara detected EICAR, Source: C:\Users\user\Downloads\0bf04b5c-0b5b-4a1c-9f2f-f9fc2fa39cf8.tmp, Author: Joe Security
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:PK...........(<.QhD...D.......eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK.............(<.QhD...D............. .......eicar.comPK..........7...k.....
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                  Category:dropped
                  Size (bytes):184
                  Entropy (8bit):4.960328822686575
                  Encrypted:false
                  SSDEEP:
                  MD5:6CE6F415D8475545BE5BA114F208B0FF
                  SHA1:D27265074C9EAC2E2122ED69294DBC4D7CCE9141
                  SHA-256:2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD
                  SHA-512:D9305862FE0BF552718D19DB43075D88CFFD768974627DB60FA1A90A8D45563E035A6449663B8F66AAC53791D77F37DBB5035159AA08E69FC473972022F80010
                  Malicious:true
                  Reputation:low
                  Preview:PK...........(<.QhD...D.......eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK.............(<.QhD...D............. .......eicar.comPK..........7...k.....
                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                  File Type:Zip archive data, at least v1.0 to extract, compression method=store
                  Category:dropped
                  Size (bytes):184
                  Entropy (8bit):4.960328822686575
                  Encrypted:false
                  SSDEEP:
                  MD5:6CE6F415D8475545BE5BA114F208B0FF
                  SHA1:D27265074C9EAC2E2122ED69294DBC4D7CCE9141
                  SHA-256:2546DCFFC5AD854D4DDC64FBF056871CD5A00F2471CB7A5BFD4AC23B6E9EEDAD
                  SHA-512:D9305862FE0BF552718D19DB43075D88CFFD768974627DB60FA1A90A8D45563E035A6449663B8F66AAC53791D77F37DBB5035159AA08E69FC473972022F80010
                  Malicious:false
                  Reputation:low
                  Preview:PK...........(<.QhD...D.......eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK.............(<.QhD...D............. .......eicar.comPK..........7...k.....
                  No static file info