Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
123.exe

Overview

General Information

Sample name:123.exe
Analysis ID:1528664
MD5:9bfe2ae2ae254503f4eec44226c721a5
SHA1:28f6d5101885bdfcba78e3131bf27f2d30d5b670
SHA256:7419585e103319649f2871b7ea75ad51fd4fbd1c38ce2950ffd59f5795aba934
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 123.exeReversingLabs: Detection: 62%
Source: 123.exeVirustotal: Detection: 60%Perma Link
Machine Learning detection for sample
Source: 123.exeJoe Sandbox ML: detected
Source: 123.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 123.exeStatic PE information: Number of sections : 13 > 10
Source: 123.exeStatic PE information: No import functions for PE file found
Source: 123.exeStatic PE information: Data appended to the last section found
Source: 123.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: 123.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 123.exeReversingLabs: Detection: 62%
Source: 123.exeVirustotal: Detection: 60%
Source: 123.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 123.exeStatic file information: File size 1177365 > 1048576
Source: 123.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2e3e00
Source: 123.exeStatic PE information: section name: /4
Source: 123.exeStatic PE information: section name: /18
Source: 123.exeStatic PE information: section name: /30
Source: 123.exeStatic PE information: section name: /43
Source: 123.exeStatic PE information: section name: /59
Source: 123.exeStatic PE information: section name: /75
Source: 123.exeStatic PE information: section name: /90
Source: 123.exeStatic PE information: section name: /109
Source: 123.exeStatic PE information: section name: .symtab

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
123.exe62%ReversingLabsWin32.Hacktool.CobaltStrike
123.exe61%VirustotalBrowse
123.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528664
Start date and time:2024-10-08 08:34:14 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:123.exe
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):5.775347191133593
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:123.exe
File size:1'177'365 bytes
MD5:9bfe2ae2ae254503f4eec44226c721a5
SHA1:28f6d5101885bdfcba78e3131bf27f2d30d5b670
SHA256:7419585e103319649f2871b7ea75ad51fd4fbd1c38ce2950ffd59f5795aba934
SHA512:35de78629af0293e49b53805e4502874c440927aab50520ea5c7467f228edf92c00509eca45972618b8630d29680c9a1bfda4970435ff20c960ebdbbc7cea7d5
SSDEEP:24576:vBWelxqsfNMNrpoAgu4B/qJXT/8Yr7mnzvAwZ4kbyjGnfyqwbdSs:8d5VKAOsCfyHd
TLSH:A54523529E1F4C7ECB5C227D287F0E4F23509E048315E9DBA3D66897C24EEAE42375A1
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........PE..............>...................P....@...........................M............................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x44c690
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
push ecx
dec ebp
jns 00007F8E247FAF92h
dec edx
dec ebx
inc ecx
arpl word ptr [edx+edx*2+4Ch], cx
dec eax
dec esi
inc ecx
dec ebp
insb
inc ecx
push edx
dec ebp
push 00000061h
insb
outsd
push edi
dec ecx
inc ebx
arpl word ptr [esi+74h], ax
imul edi, dword ptr [ecx+79h], 58454A50h
inc esp
insb
je 00007F8E247FAF63h
bound ebp, dword ptr [edx+64h]
jns 00007F8E247FAF72h
jne 00007F8E247FAF77h
arpl word ptr [edx+4Bh], bp
push esp
push 00000065h
push esp
dec edx
dec edx
bound edi, dword ptr [edx+4Bh]
push eax
push edx
inc ecx
dec esp
outsb
dec ebp
push ecx
jbe 00007F8E247FAF94h
dec esp
inc ecx
imul ecx, dword ptr [edx+64h], 46h
inc edx
dec ecx
jc 00007F8E247FAF93h
jne 00007F8E247FAF97h
inc edi
dec esp
insb
jne 00007F8E247FAF74h
jnc 00007F8E247FAF63h
push 0000006Fh
push esp
inc edx
inc sp
push ebp
dec ebx
dec eax
dec esp
inc esp
push esi
push ebp
jno 00007F8E247FAF6Ah
push edi
push edx
jns 00007F8E247FAF6Ah
jnbe 00007F8E247FAF7Ch
je 00007F8E247FAF7Bh
dec edx
push ecx
insd
jne 00007F8E247FAF96h
insd
jc 00007F8E247FAF75h
inc edi
push esp
dec ebp
dec eax
inc edi
jp 00007F8E247FAF85h
jo 00007F8E247FAF77h
js 00007F8E247FAF6Ch
jno 00007F8E247FAF9Ah
push ebp
pop ecx
dec edx
imul esi, dword ptr [eax+78h], 474A5175h
dec ecx
outsb
push 66475661h
pop eax
dec ebp
outsb
jns 00007F8E247FAF71h
dec eax
jno 00007F8E247FAF99h
inc edx
push ecx
push esp
jno 00007F8E247FAF63h
jne 00007F8E247FAF6Ch
push 46454C42h
jbe 00007F8E247FAF68h
bound esp, dword ptr [edx+6Ch]
inc edi
inc esp
pop eax
inc esp
inc ebp
inc ebx
inc ebx
inc ebx
je 00007F8E247FAF66h
dec ebp
push 00006479h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4710000x372.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c20000x17af0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x2e50000x8c.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2e3cb90x2e3e007625749baa324a10ca4f431417c72059unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x2e50000x465280x30200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40x32c0000x1160x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/180x32d0000x2dcb30x2de00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/300x35b0000x24f980x25000d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/430x3800000x131810x13200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/590x3940000x1eca80x1ee00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/750x3b30000x200x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/900x3b40000x220x200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/1090x3b50000xbb3a50xbb400d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata0x4710000x3720x400d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.symtab0x4720000x4f2d50x4f400d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc0x4c20000x17af00x17c00d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly