Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522725
MD5: bd669dea6be898ef2136392bc2e57da7
SHA1: 11dcb42ad05396ee467cdb109cf718ba3a2996d0
SHA256: 3942cca9f9a3490d766f0bb12a196b51c5991cc1cb95a3def4104910212b2bec
Tags: exeuser-jstrosch
Infos:

Detection

Mofksys
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Mofksys
Machine Learning detection for sample
PE file has nameless sections
Contains functionality to detect virtual machines (SGDT)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 65%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Spreading
barindex
Yara detected Mofksys
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.2040759494.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3281652518.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4448, type: MEMORYSTR
Source: file.exe String found in binary or memory: http://www.enigmaprotector.com/

System Summary
barindex
PE file has nameless sections
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
PE file does not import any functions
Source: file.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.3281677796.000000000041F000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTJprojMain.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameTJprojMain.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: file.exe Binary or memory string: A*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp
Source: classification engine Classification label: mal64.spre.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvbvm60.dll Jump to behavior
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x4bf451a should be: 0xaa7c6
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .data entropy: 7.938125683104755
Contains functionality to detect virtual machines (SGDT)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403A5C sgdt fword ptr [eax] 0_2_00403A5C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522725 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 64 7 Multi AV Scanner detection for submitted file 2->7 9 Yara detected Mofksys 2->9 11 Machine Learning detection for sample 2->11 13 PE file has nameless sections 2->13 5 file.exe 2->5         started        process3
No contacted IP infos