Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6xKJ0LSg59.exe

Overview

General Information

Sample name:6xKJ0LSg59.exe
renamed because original name is a hash value
Original sample name:f69f2c50d131e5a64466f3c7fe189585.exe
Analysis ID:1520444
MD5:f69f2c50d131e5a64466f3c7fe189585
SHA1:7acbc40843d1889361b88f2b229d75833ed20f09
SHA256:93d5ecc283390e6f59a7ce4c8edcf575821ab46f77384f672827486118d8799a
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Binary contains a suspicious time stamp
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 6xKJ0LSg59.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: 6xKJ0LSg59.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 6xKJ0LSg59.exeStatic PE information: No import functions for PE file found
Source: 6xKJ0LSg59.exeStatic PE information: Data appended to the last section found
Source: 6xKJ0LSg59.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: unknown2.winEXE@0/0@0/0
Source: 6xKJ0LSg59.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6xKJ0LSg59.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 6xKJ0LSg59.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 6xKJ0LSg59.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x40fa00
Source: 6xKJ0LSg59.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1dd400
Source: 6xKJ0LSg59.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 6xKJ0LSg59.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6xKJ0LSg59.exeStatic PE information: 0xE58650F3 [Thu Jan 10 06:30:11 2092 UTC]
Source: 6xKJ0LSg59.exeStatic PE information: real checksum: 0x5fda51 should be: 0x64e65

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Timestomp		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
6xKJ0LSg59.exe8%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1520444
Start date and time:2024-09-27 11:10:39 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:6xKJ0LSg59.exe
renamed because original name is a hash value
Original Sample Name:f69f2c50d131e5a64466f3c7fe189585.exe
Detection:UNKNOWN
Classification:unknown2.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • VT rate limit hit for: 6xKJ0LSg59.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):5.3252705911077145
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Win16/32 Executable Delphi generic (2074/23) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:6xKJ0LSg59.exe
File size:406'471 bytes
MD5:f69f2c50d131e5a64466f3c7fe189585
SHA1:7acbc40843d1889361b88f2b229d75833ed20f09
SHA256:93d5ecc283390e6f59a7ce4c8edcf575821ab46f77384f672827486118d8799a
SHA512:932c98e24eff478e0fbd310b2a83c76770e2881cb2ddbb8c3989171cfae2bca68d266a4e63a428fdc32f879e5061b6fb33df7358180ce76008b16a39a90df4e4
SSDEEP:6144:vfdqOsN5orxavWOBdNNUH+JmRU2jeGHE2k3u8Ki:aG8HvWU2DE13gi
TLSH:8C84A50B3880DB05C6591D36C5CDC964875AEF661B51FA3E76AA3B5E62207FF2C0E08D
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P....................@...........A.. ... A...@.. .......................@_.....Q._...@................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x8118fe
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0xE58650F3 [Thu Jan 10 06:30:11 2092 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x4118b00x4b.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x4140000x1dd274.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x5ed6000x8020
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f20000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x4118540x1c.text
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x40f9040x40fa008653d0d97f19020faaf57b83d53c14a9unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .sdata0x4120000x1e80x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x4140000x1dd2740x1dd400d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x5f20000xc0x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Network Behavior

      No network behavior found

      Statistics

      No statistics

      System Behavior

      No system behavior

      Disassembly

      No disassembly