Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dfbedc.exe

Overview

General Information

Sample name:dfbedc.exe
Analysis ID:1520809
MD5:8276be102845dc450ee81142181bb0ac
SHA1:86892cdf316dcabd59763693c510039435df16d1
SHA256:035daed712df0e73601fb6b63ebbe4837b1989c4a51c0ceb5a95134620f6f732
Tags:exeuser-N3utralZ0ne
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Machine Learning detection for sample
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: dfbedc.exeJoe Sandbox ML: detected
Source: dfbedc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: dfbedc.exeStatic PE information: Data appended to the last section found
Source: classification engineClassification label: sus22.winEXE@0/0@0/0
Source: dfbedc.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: dfbedc.exeStatic file information: File size 7580000 > 1048576
Source: dfbedc.exeStatic PE information: Raw size of 2U036ITX is bigger than: 0x100000 < 0xd12800
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dfbedc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: dfbedc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: initial sampleStatic PE information: section where entry point is pointing to: EBY5MMT2
Source: dfbedc.exeStatic PE information: real checksum: 0xd47ff1 should be: 0x741dcc
Source: dfbedc.exeStatic PE information: section name: EBY5MMT2
Source: dfbedc.exeStatic PE information: section name: 28B3E94H
Source: dfbedc.exeStatic PE information: section name: 8F376P9X
Source: dfbedc.exeStatic PE information: section name: CSL9ANT3
Source: dfbedc.exeStatic PE information: section name: 2U036ITX
Source: dfbedc.exeStatic PE information: section name: BYRQXKG6

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dfbedc.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1520809
Start date and time:2024-09-27 23:35:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:dfbedc.exe
Detection:SUS
Classification:sus22.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • VT rate limit hit for: dfbedc.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):7.987611314245865
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:dfbedc.exe
File size:7'580'000 bytes
MD5:8276be102845dc450ee81142181bb0ac
SHA1:86892cdf316dcabd59763693c510039435df16d1
SHA256:035daed712df0e73601fb6b63ebbe4837b1989c4a51c0ceb5a95134620f6f732
SHA512:4ae7f1844c987d97a989585ff5cd78fc72263f3901ba609e6ddd71d5a8ce7757e1aed1fd7e1b21e494539ac4171f9fe2172360d2bc22969134f14ab58a5cb3b2
SSDEEP:196608:3EU8hXQkvWksO50yO8u98vAHWnwRoCZUxlwQB:U1hXrzP0yO8u9CAHDRoCZ0ll
TLSH:DD763356798388FDF4535AB9C9810E29F1B1FCA85310974F6360A2762E27DF0CA3A771
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b...&f..&f..&f..m... f..m....f..m...,f....B.$f....../f......6f.......f..m...#f..&f..If..5...'f..5...'f..Rich&f.................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x14000b9e4
Entrypoint Section:EBY5MMT2
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x511E37C4 [Fri Feb 15 13:27:32 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:112fa09e6fcdee4634e7578b0a8d6fd4

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1E8CF1D870h
dec eax
add esp, 28h
jmp 00007F1E8CF1D49Fh
int3
int3
dec eax
sub esp, 28h
call 00007F1E8CF1DF0Ch
test eax, eax
je 00007F1E8CF1D643h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F1E8CF1D627h
dec eax
cmp ecx, eax
je 00007F1E8CF1D636h
xor eax, eax
dec eax
cmpxchg dword ptr [00021654h], ecx
jne 00007F1E8CF1D610h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F1E8CF1D619h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F1E8CF1D629h
mov byte ptr [0002163Dh], 00000001h
call 00007F1E8CF1DBF9h
call 00007F1E8CF1E0F0h
test al, al
jne 00007F1E8CF1D626h
xor al, al
jmp 00007F1E8CF1D636h
call 00007F1E8CF24ED3h
test al, al
jne 00007F1E8CF1D62Bh
xor ecx, ecx
call 00007F1E8CF1E100h
jmp 00007F1E8CF1D60Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00021604h], 00000000h
mov ebx, ecx
jne 00007F1E8CF1D689h
cmp ecx, 01h
jnbe 00007F1E8CF1D68Ch
call 00007F1E8CF1DE82h
test eax, eax
je 00007F1E8CF1D64Ah
test ebx, ebx
jne 00007F1E8CF1D646h
dec eax
lea ecx, dword ptr [000215EEh]
call 00007F1E8CF24CF2h
test eax, eax
jne 00007F1E8CF1D632h
dec eax
lea ecx, dword ptr [000215F6h]
call 00007F1E8CF1D6E2h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2b5ac0x3c28B3E94H
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3f0000xd1271c2U036ITX
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3d0000x174cCSL9ANT3
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xd520000x688BYRQXKG6
IMAGE_DIRECTORY_ENTRY_DEBUG0x295f00x1c28B3E94H
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x294b00x14028B3E94H
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x200000x2c828B3E94H
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
EBY5MMT20x10000x1e8d90x1ea00f4f6a0b700925d2a19faf800aa9e1928False0.566780931122449data6.511605042899542IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
28B3E94H0x200000xbf0e0xc000af0c0d023a47bfd15d301a38e8b7f276False0.45782470703125data4.958767113867181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
8F376P9X0x2c0000x10e680xc00c85731353b85d8811c54a065871da4c6False0.13736979166666666data1.9567614228273449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
CSL9ANT30x3d0000x174c0x180062bd2d8d2fcc90b8810ee233db76ad29False0.4754231770833333PEX Binary Archive5.202264597495957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2U036ITX0x3f0000xd1271c0xd12800a525c4dcb0a00f33d2e18bca163b3a3funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
BYRQXKG60xd520000x6880x800d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x3f2f00x22b0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9823198198198199
RT_ICON0x415a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.1223429381199811
RT_ICON0x457c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.15228215767634853
RT_ICON0x47d700x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 67200.1727810650887574
RT_ICON0x497d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.20708255159474673
RT_ICON0x4a8800x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.2692622950819672
RT_ICON0x4b2080x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 16800.30465116279069765
RT_ICON0x4b8c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.2730496453900709
RT_RCDATA0x4bd280xd04fd0data1.0002155303955078
RT_GROUP_ICON0xd50cf80x76empty0
RT_VERSION0xd50d700x398emptyEnglishUnited States0
RT_MANIFEST0xd511080x33dempty0
RT_MANIFEST0xd514480x2d4emptyEnglishUnited States0

Imports

DLLImport
SHELL32.dllSHFileOperationW, SHGetFolderPathW
KERNEL32.dllTlsAlloc, WriteConsoleW, CreateDirectoryW, SetConsoleCtrlHandler, GetCommandLineW, WriteFile, TerminateProcess, GetModuleFileNameW, GetTempPathW, FindResourceA, WaitForSingleObject, CreateFileW, GetFileAttributesW, Sleep, GetLastError, LockResource, CloseHandle, LoadResource, SetEnvironmentVariableA, GetCurrentProcessId, CreateProcessW, GetSystemTimeAsFileTime, FormatMessageA, GetExitCodeProcess, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, HeapReAlloc, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetStdHandle, HeapAlloc, MultiByteToWideChar, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, HeapSize

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly