Windows Analysis Report
D1866edObh.exe

Overview

General Information

Sample name: D1866edObh.exe
renamed because original name is a hash value
Original sample name: ef5acf7c601098ff5fe92c76fb796cef.exe
Analysis ID: 1520610
MD5: ef5acf7c601098ff5fe92c76fb796cef
SHA1: 31db2b487c48c37ff0e1a74b2e1a2536b0f7b63d
SHA256: 171e58b3f3c1dd5a8bebcb41a1f5e63a6fa9265c85ee48d21c93b087978addd4
Tags: exeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Machine Learning detection for sample
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

AV Detection
barindex
Machine Learning detection for sample
Source: D1866edObh.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: D1866edObh.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: D1866edObh.exe String found in binary or memory: http://2.haory.cn:8988/143/bot/bot.txt
Source: D1866edObh.exe String found in binary or memory: http://2.haory.cn:8988/143/bot/bot.txtsj=
Source: D1866edObh.exe String found in binary or memory: http://2.haory.cn:8988/143/bot/img.zip
Source: D1866edObh.exe String found in binary or memory: http://2.haory.cn:8988/143/bot/sj.exe
Source: D1866edObh.exe String found in binary or memory: http://code.google.com/p/swfobject/
Source: D1866edObh.exe String found in binary or memory: http://dev.w3.org/html5/websockets/
Source: D1866edObh.exe String found in binary or memory: http://gimite.net/en/
Source: D1866edObh.exe String found in binary or memory: http://javascript.crockford.com/jsmin.html
Source: D1866edObh.exe String found in binary or memory: http://lol.twrj.xyz/bot/cg/up.php
Source: D1866edObh.exe String found in binary or memory: http://lol.twrj.xyz/bot/cg/up.phpGETPOSTHEADPUTOPTIONSDELETETRACECONNECTPATCH
Source: D1866edObh.exe String found in binary or memory: http://lol.twrj.xyz/bot/pj/logs/jp-apple-sjpj-log.txt
Source: D1866edObh.exe String found in binary or memory: http://tools.ietf.org/html/rfc6455
Source: D1866edObh.exe String found in binary or memory: http://www.esegece.com
Source: D1866edObh.exe String found in binary or memory: http://www.indyproject.org/
Source: D1866edObh.exe String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: D1866edObh.exe String found in binary or memory: https://github.com/Yaffle/EventSource/
Source: D1866edObh.exe String found in binary or memory: https://www.apple.com/xc/jp/vieworder/
Source: D1866edObh.exe String found in binary or memory: https://www.baidu.com
Source: D1866edObh.exe String found in binary or memory: https://www.baidu.comDate:KB3140245http=
Source: D1866edObh.exe String found in binary or memory: https://www.icloud.com/shortcuts/9dc7baf214a941398a6ab5a6c7d960b5
PE file does not import any functions
Source: D1866edObh.exe Static PE information: No import functions for PE file found
PE file overlay found
Source: D1866edObh.exe Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: D1866edObh.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: sus22.winEXE@0/0@0/0
Source: D1866edObh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D1866edObh.exe String found in binary or memory: NATS-SEFI-ADD
Source: D1866edObh.exe String found in binary or memory: NATS-DANO-ADD
Source: D1866edObh.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: D1866edObh.exe String found in binary or memory: jp-ocr-b-add
Source: D1866edObh.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: D1866edObh.exe String found in binary or memory: jp-ocr-hand-add
Source: D1866edObh.exe String found in binary or memory: ISO_6937-2-add
Source: D1866edObh.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: D1866edObh.exe Static file information: File size 2783153 > 1048576
Source: D1866edObh.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15d000
Source: D1866edObh.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x162000
PE file contains an invalid checksum
Source: D1866edObh.exe Static PE information: real checksum: 0x2fc54f should be: 0x2b17b7

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520610 Sample: D1866edObh.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 22 5 Machine Learning detection for sample 2->5
No contacted IP infos