Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KOnbUgYLQP.exe

Overview

General Information

Sample name:KOnbUgYLQP.exe
renamed because original name is a hash value
Original sample name:7cb38901cf67749727647d48cf88bb46.exe
Analysis ID:1520449
MD5:7cb38901cf67749727647d48cf88bb46
SHA1:9d47161d43993f6a66ee2309dcc810bbea8c98e6
SHA256:18a19ff258dd8b7dcb48f1ea37b94129d06853d3ba8ae8b902fac237c108a8f3
Tags:exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: KOnbUgYLQP.exeReversingLabs: Detection: 21%
Source: KOnbUgYLQP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: KOnbUgYLQP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: KOnbUgYLQP.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: KOnbUgYLQP.exeStatic PE information: No import functions for PE file found
Source: KOnbUgYLQP.exeStatic PE information: Data appended to the last section found
Source: KOnbUgYLQP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: KOnbUgYLQP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KOnbUgYLQP.exeReversingLabs: Detection: 21%
Source: KOnbUgYLQP.exeString found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
Source: KOnbUgYLQP.exeString found in binary or memory: Estimated total CPU time spent performing GC tasks on processors (as defined by GOMAXPROCS) dedicated to those tasks. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent running user Go code. This may also include some small amount of time spent in the Go runtime. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time goroutines spent performing GC tasks to assist the GC and prevent it from falling behind the application. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent returning unused memory to the underlying platform in response eagerly in response to memory pressure. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total CPU time spent performing tasks that return unused memory to the underlying platform. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics. Sum of all metrics in /cpu/classes/scavenge.Count of small allocations that are packed together into blocks. These allocations are counted separately from other allocations because each individual allocation is not tracked by the runtime, only their block. Each block is already accounted for in allocs-by-size and frees-by-size.Approximate cumulative time goroutines have spent blocked on a sync.Mutex, sync.RWMutex, or runtime-internal lock. This metric is useful for identifying global changes in lock contention. Collect a mutex or block profile using the runtime/pprof package for more detailed contention data.Estimated total available CPU time not spent executing any Go or Go runtime code. In other words, the part of /cpu/classes/total:cpu-seconds that was unused. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subse
Source: KOnbUgYLQP.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: KOnbUgYLQP.exeStatic file information: File size 6151380 > 1048576
Source: KOnbUgYLQP.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x45f000
Source: KOnbUgYLQP.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x5a5600
Source: KOnbUgYLQP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: KOnbUgYLQP.exeStatic PE information: real checksum: 0xab9795 should be: 0x5e45bf
Source: KOnbUgYLQP.exeStatic PE information: section name: .symtab

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		Path InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KOnbUgYLQP.exe21%ReversingLabsWin32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/golang/protobuf/issues/1609):KOnbUgYLQP.exefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1520449
    Start date and time:2024-09-27 11:17:18 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 31s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:0
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:KOnbUgYLQP.exe
    renamed because original name is a hash value
    Original Sample Name:7cb38901cf67749727647d48cf88bb46.exe
    Detection:MAL
    Classification:mal48.winEXE@0/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis

    Errors

    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Warnings

    • VT rate limit hit for: KOnbUgYLQP.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.042878368557158
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.53%
    • InstallShield setup (43055/19) 0.43%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:KOnbUgYLQP.exe
    File size:6'151'380 bytes
    MD5:7cb38901cf67749727647d48cf88bb46
    SHA1:9d47161d43993f6a66ee2309dcc810bbea8c98e6
    SHA256:18a19ff258dd8b7dcb48f1ea37b94129d06853d3ba8ae8b902fac237c108a8f3
    SHA512:34f0b0ef371f5071df64a0c8310599a0ee6dcb82740113688d9f56e73e78bb2747dfde9598450bb7f078d6ed6295fb075e03be6c2af69849993a276492714324
    SSDEEP:49152:aEqF4CqIkvNrC75q9mpFj3roCZO7VxorEjsOVSJ50TTmaEETNdjGI6vBmn3hR5hO:zqF4Ro3roj2EwF0dnRR5hI
    TLSH:C756C550FACB84F1DD4349B2A05FB27F5B345E05CB3CDBDBEA542E46E8276921832219
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........................E.........pM.......`....@.......................................@................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x474d70
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:

    Entrypoint Preview

    Instruction
    jmp 00007FF30CB9E6A0h
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    sub esp, 28h
    mov dword ptr [esp+1Ch], ebx
    mov dword ptr [esp+10h], ebp
    mov dword ptr [esp+14h], esi
    mov dword ptr [esp+18h], edi
    mov dword ptr [esp], eax
    mov dword ptr [esp+04h], ecx
    call 00007FF30CB7A2A6h
    mov eax, dword ptr [esp+08h]
    mov edi, dword ptr [esp+18h]
    mov esi, dword ptr [esp+14h]
    mov ebp, dword ptr [esp+10h]
    mov ebx, dword ptr [esp+1Ch]
    add esp, 28h
    retn 0004h
    ret
    int3
    int3
    int3
    int3
    int3
    int3
    sub esp, 08h
    mov ecx, dword ptr [esp+0Ch]
    mov edx, dword ptr [ecx]
    mov eax, esp
    mov dword ptr [edx+04h], eax
    sub eax, 00010000h
    mov dword ptr [edx], eax
    add eax, 00000BA0h
    mov dword ptr [edx+08h], eax
    mov dword ptr [edx+0Ch], eax
    lea edi, dword ptr [ecx+34h]
    mov dword ptr [edx+18h], ecx
    mov dword ptr [edi], edx
    mov dword ptr [esp+04h], edi
    call 00007FF30CBA0AF4h
    cld
    call 00007FF30CB9FB8Eh
    call 00007FF30CB9E7C9h
    add esp, 08h
    ret
    jmp 00007FF30CBA09A0h
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    mov ebx, dword ptr [esp+04h]
    mov ebp, esp
    mov dword ptr fs:[00000034h], 00000000h
    mov ecx, dword ptr [ebx+04h]
    cmp ecx, 00000000h
    je 00007FF30CBA09A1h
    mov eax, ecx
    shl eax, 02h
    sub esp, eax
    mov edi, esp
    mov esi, dword ptr [ebx+08h]
    cld
    rep movsd

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xa7b0000x44c.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xabb0000x22d63.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa7c0000x3d434.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xa06d800xb4.data
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x45ef880x45f0006e9e97bed830a1553f25bb4b4a9cf753unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x4600000x5a54400x5a56004c21f916c51438b4a8b29f2d0dfffa4dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0xa060000x746000x4ae00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata0xa7b0000x44c0x600d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0xa7c0000x3d4340x3d600d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .symtab0xaba0000x40x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .rsrc0xabb0000x22d630x22e00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Network Behavior

    No network behavior found

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly