Edit tour

Windows Analysis Report
D1866edObh.exe

Overview

General Information

Sample name:	D1866edObh.exe renamed because original name is a hash value
Original sample name:	ef5acf7c601098ff5fe92c76fb796cef.exe
Analysis ID:	1520610
MD5:	ef5acf7c601098ff5fe92c76fb796cef
SHA1:	31db2b487c48c37ff0e1a74b2e1a2536b0f7b63d
SHA256:	171e58b3f3c1dd5a8bebcb41a1f5e63a6fa9265c85ee48d21c93b087978addd4
Tags:	exeuser-abuse_ch
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Machine Learning detection for sample

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Uses 32bit PE files

Classification

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: D1866edObh.exe

Joe Sandbox ML: detected

Source: D1866edObh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: D1866edObh.exe	String found in binary or memory: http://2.haory.cn:8988/143/bot/bot.txt
Source: D1866edObh.exe	String found in binary or memory: http://2.haory.cn:8988/143/bot/bot.txtsj=
Source: D1866edObh.exe	String found in binary or memory: http://2.haory.cn:8988/143/bot/img.zip
Source: D1866edObh.exe	String found in binary or memory: http://2.haory.cn:8988/143/bot/sj.exe
Source: D1866edObh.exe	String found in binary or memory: http://code.google.com/p/swfobject/
Source: D1866edObh.exe	String found in binary or memory: http://dev.w3.org/html5/websockets/
Source: D1866edObh.exe	String found in binary or memory: http://gimite.net/en/
Source: D1866edObh.exe	String found in binary or memory: http://javascript.crockford.com/jsmin.html
Source: D1866edObh.exe	String found in binary or memory: http://lol.twrj.xyz/bot/cg/up.php
Source: D1866edObh.exe	String found in binary or memory: http://lol.twrj.xyz/bot/cg/up.phpGETPOSTHEADPUTOPTIONSDELETETRACECONNECTPATCH
Source: D1866edObh.exe	String found in binary or memory: http://lol.twrj.xyz/bot/pj/logs/jp-apple-sjpj-log.txt
Source: D1866edObh.exe	String found in binary or memory: http://tools.ietf.org/html/rfc6455
Source: D1866edObh.exe	String found in binary or memory: http://www.esegece.com
Source: D1866edObh.exe	String found in binary or memory: http://www.indyproject.org/
Source: D1866edObh.exe	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: D1866edObh.exe	String found in binary or memory: https://github.com/Yaffle/EventSource/
Source: D1866edObh.exe	String found in binary or memory: https://www.apple.com/xc/jp/vieworder/
Source: D1866edObh.exe	String found in binary or memory: https://www.baidu.com
Source: D1866edObh.exe	String found in binary or memory: https://www.baidu.comDate:KB3140245http=
Source: D1866edObh.exe	String found in binary or memory: https://www.icloud.com/shortcuts/9dc7baf214a941398a6ab5a6c7d960b5

Source: D1866edObh.exe

Static PE information: No import functions for PE file found

Source: D1866edObh.exe

Static PE information: Data appended to the last section found

Source: D1866edObh.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: sus22.winEXE@0/0@0/0

Source: D1866edObh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: D1866edObh.exe	String found in binary or memory: NATS-SEFI-ADD
Source: D1866edObh.exe	String found in binary or memory: NATS-DANO-ADD
Source: D1866edObh.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: D1866edObh.exe	String found in binary or memory: jp-ocr-b-add
Source: D1866edObh.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: D1866edObh.exe	String found in binary or memory: jp-ocr-hand-add
Source: D1866edObh.exe	String found in binary or memory: ISO_6937-2-add

Source: D1866edObh.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: D1866edObh.exe

Static file information: File size 2783153 > 1048576

Source: D1866edObh.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15d000
Source: D1866edObh.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x162000

Source: D1866edObh.exe

Static PE information: real checksum: 0x2fc54f should be: 0x2b17b7

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
D1866edObh.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.opensource.org/licenses/mit-license.php	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://javascript.crockford.com/jsmin.html	D1866edObh.exe	false		unknown
http://lol.twrj.xyz/bot/pj/logs/jp-apple-sjpj-log.txt	D1866edObh.exe	false		unknown
http://www.opensource.org/licenses/mit-license.php	D1866edObh.exe	false	URL Reputation: safe	unknown
http://2.haory.cn:8988/143/bot/sj.exe	D1866edObh.exe	false		unknown
http://2.haory.cn:8988/143/bot/img.zip	D1866edObh.exe	false		unknown
http://code.google.com/p/swfobject/	D1866edObh.exe	false		unknown
http://www.esegece.com	D1866edObh.exe	false		unknown
http://tools.ietf.org/html/rfc6455	D1866edObh.exe	false		unknown
https://www.baidu.comDate:KB3140245http=	D1866edObh.exe	false		unknown
http://lol.twrj.xyz/bot/cg/up.phpGETPOSTHEADPUTOPTIONSDELETETRACECONNECTPATCH	D1866edObh.exe	false		unknown
http://2.haory.cn:8988/143/bot/bot.txtsj=	D1866edObh.exe	false		unknown
http://gimite.net/en/	D1866edObh.exe	false		unknown
https://github.com/Yaffle/EventSource/	D1866edObh.exe	false		unknown
http://2.haory.cn:8988/143/bot/bot.txt	D1866edObh.exe	false		unknown
http://lol.twrj.xyz/bot/cg/up.php	D1866edObh.exe	false		unknown
http://www.indyproject.org/	D1866edObh.exe	false	URL Reputation: safe	unknown
http://dev.w3.org/html5/websockets/	D1866edObh.exe	false		unknown
https://www.baidu.com	D1866edObh.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520610
Start date and time:	2024-09-27 16:46:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D1866edObh.exe renamed because original name is a hash value
Original Sample Name:	ef5acf7c601098ff5fe92c76fb796cef.exe
Detection:	SUS
Classification:	sus22.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
VT rate limit hit for: D1866edObh.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7410405722874325
TrID:	Win32 Executable (generic) a (10002005/4) 99.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	D1866edObh.exe
File size:	2'783'153 bytes
MD5:	ef5acf7c601098ff5fe92c76fb796cef
SHA1:	31db2b487c48c37ff0e1a74b2e1a2536b0f7b63d
SHA256:	171e58b3f3c1dd5a8bebcb41a1f5e63a6fa9265c85ee48d21c93b087978addd4
SHA512:	da799845891446c61a9210d8828bda73b9e170230434aa0f77707e09d01c246182bea1f9957cc857e8f9b6c935500de7c2ac144cdcb2c85bc0e94393fe77d0ce
SSDEEP:	49152:p9J+C0Jk5KG4elG4T0H53HB7/ClmEf0vuCnWTdPXSgK:/0pKKG4elG4QH53H7EFS
TLSH:	24D58E33F1828472D1612AF06AB6473C6D34BA201D348D87FBF4DDB87E75172AA6614E
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......... ...N...N...N...E...N...D...N.a.@...N...B...N...]...N...]...N...O.^.N.a.....N...D.=.N...E...N...\...N...E.j.N...D...N...N...N

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5397ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x66F0112B [Sun Sep 22 12:44:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 006B21E8h
push 0053C9ECh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0055E1DCh]
xor edx, edx
mov dl, ah
mov dword ptr [0072978Ch], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00729788h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00729784h], ecx
shr eax, 10h
mov dword ptr [00729780h], eax
push 00000001h
call 00007F8075169371h
pop ecx
test eax, eax
jne 00007F807516343Ah
push 0000001Ch
call 00007F80751634F8h
pop ecx
call 00007F807516907Ch
test eax, eax
jne 00007F807516343Ah
push 00000010h
call 00007F80751634E7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F8075168EAAh
call dword ptr [0055E3E0h]
mov dword ptr [0072EA04h], eax
call 00007F8075168D68h
mov dword ptr [00729718h], eax
call 00007F8075168B11h
call 00007F8075168A53h
call 00007F80751667E4h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0055E238h]
call 00007F80751689E4h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F8075163438h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2bcde0	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32f000	0x12b88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15e000	0x850	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15c88a	0x15d000	17248fc873abdd6cb27db922c196d1c5	False	0.42447870030444124	data	6.4393155626906955	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15e000	0x1617fa	0x162000	f5b703c1308bc84b8b64107d9bcf54f9	False	0.5233266125895019	data	6.881438690444405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c0000	0x6ea0a	0x1b000	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x32f000	0x12b88	0x13000	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D1866edObh.exe

Overview

General Information

Detection

Signatures

Classification

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Statistics

System Behavior

Disassembly

Windows Analysis Report
D1866edObh.exe