Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe

Overview

General Information

Sample name:1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe
Analysis ID:1525926
MD5:8f0c37894627370f855b58dc3b333b9d
SHA1:b914fc175dc76de45c6e097832304fde80bc3505
SHA256:9372e9541b6614a2c2a0cbd3675eda532478586b712e533b0ed578dd2c7cabaf
Tags:base64-decodedexeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains section with special chars
Binary contains a suspicious time stamp
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeReversingLabs: Detection: 15%
Machine Learning detection for sample
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeJoe Sandbox ML: detected
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeString found in binary or memory: http://194.164.76.15:8080/dwn_legit_file
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeString found in binary or memory: http://194.164.76.15:8080/dwn_legit_filehttp://194.164.76.15:8080/dwn_spy_moduleC:
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeString found in binary or memory: http://194.164.76.15:8080/dwn_spy_module

System Summary

barindex
PE file contains section with special chars
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: section name: P`U6PQR
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: section name: `@L4LA2
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: No import functions for PE file found
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeBinary or memory string: OriginalFilenameAdobe Download ManagerN vs 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT size: 0xe80000d0 address: 0x0
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC size: 0x38000160 address: 0x0
Source: classification engineClassification label: mal56.winEXE@0/0@0/0
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeReversingLabs: Detection: 15%
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: 0xA35E11A4 [Tue Nov 7 19:31:48 2056 UTC]
Source: initial sampleStatic PE information: section where entry point is pointing to: XEAIP
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: real checksum: 0x18966 should be: 0x19830
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: section name: P`U6PQR
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: section name: `@L4LA2
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: section name: 001DYN
Source: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exeStatic PE information: section name: XEAIP

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Timestomp		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe16%ReversingLabs
1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://194.164.76.15:8080/dwn_legit_file1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exefalse
    		unknown
    http://194.164.76.15:8080/dwn_spy_module1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exefalse
      		unknown
      http://194.164.76.15:8080/dwn_legit_filehttp://194.164.76.15:8080/dwn_spy_moduleC:1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exefalse
        		unknown

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1525926
        Start date and time:2024-10-04 16:39:32 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 39s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:0
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe
        Detection:MAL
        Classification:mal56.winEXE@0/0@0/0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Unable to launch sample, stop analysis

        Errors

        • No process behavior to analyse as no analysis process or sample was found
        • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

        Warnings

        • VT rate limit hit for: 1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Entropy (8bit):6.403840314671167
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:1728051010e60e339ea88a684f6571eb8c475e27dcd179b062b9fc584815b0e6126a0bbc1b567.dat-decoded.exe
        File size:67'473 bytes
        MD5:8f0c37894627370f855b58dc3b333b9d
        SHA1:b914fc175dc76de45c6e097832304fde80bc3505
        SHA256:9372e9541b6614a2c2a0cbd3675eda532478586b712e533b0ed578dd2c7cabaf
        SHA512:7ed72fc86ccf6883a12b3bb24c26c3e49eef20dc0da1891176113cced6c2720fbbb4db46a7f545befb22a213316abc710dac5ddffb97e69fab34c29846b3450e
        SSDEEP:1536:eCGGo5tale3dAfQOKBqHJ6FxEEEXAEABBtT8Lhzc7:jGG6N82BqpMxEQRBeLh47
        TLSH:F1637D83DA43C0F1F4572BF054DAEBBFA6B7BB138962CD36DA1C24B4F926A113509149
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....^................$.v........................@..........................p......f.....@.....{...1...84.w...............

        File Icon

        Icon Hash:90cececece8e8eb0

        Static PE Info

        General

        Entrypoint:0x4014b0
        Entrypoint Section:XEAIP
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH
        Time Stamp:0xA35E11A4 [Tue Nov 7 19:31:48 2056 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_IMPORT0x00xe80000d0
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x60x72000100
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5b0x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x38000160P`U6PQR
        IMAGE_DIRECTORY_ENTRY_DEBUG0x40x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_TLS0xa40000000x180000a8001DYN
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_IAT0x640000000xd1001DYN
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0P`U6PQR
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0P`U6PQR

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        P`U6PQR0x00x505246420x904d134aca19a6b64415897bf840e7880bunknownunknownunknownunknownIMAGE_SCN_MEM_READ
        `@L4LA20xa0x5453434a0xc087968856cfcda52eb10d9136da08e426unknownunknownunknownunknownIMAGE_SCN_MEM_WRITE
        001DYN0x110xd83757570xa0b559af1f687fabe2eda2b567b4f9df15unknownunknownunknownunknownIMAGE_SCN_MEM_READ
        XEAIP0x750xcd4f45480x10ead3d4cba62cad943dca9fa88139d258unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

        Network Behavior

        No network behavior found

        Statistics

        No statistics

        System Behavior

        No system behavior

        Disassembly

        No disassembly