Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531369
MD5:03d8f92e5dda974a1d749dccd37d6ee5
SHA1:996fb6c93e143ca871a41fb3ee7d40c2077a613f
SHA256:26533b228ccef5338c0a9d52cd414ec011f6d7c840090e7fc724f29ab048850c
Tags:exeuser-Bitsight
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Machine Learning detection for sample
PE file contains section with special chars
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.6% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .rsrc
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: Data appended to the last section found
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exeStatic PE information: Section: qbpsrqul ZLIB complexity 0.9952770722909305
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: file.exeStatic PE information: Raw size of qbpsrqul is bigger than: 0x100000 < 0x19da00
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1d353e should be: 0xfa5a5
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .rsrc
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: qbpsrqul
Source: file.exeStatic PE information: section name: lsditjec
Source: file.exeStatic PE information: section name: .taggant
Source: file.exeStatic PE information: section name: qbpsrqul entropy: 7.926429059240434

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception2
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
s-part-0023.t-0009.t-msedge.net0%VirustotalBrowse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0023.t-0009.t-msedge.net
13.107.246.51
truefalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1531369
Start date and time:2024-10-11 05:34:13 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
s-part-0023.t-0009.t-msedge.nethttps://speedcarad.es/1.phpGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.51
https://form.jotform.com/242814004861047Get hashmaliciousUnknownBrowse
  • 13.107.246.51
https://url.us.m.mimecastprotect.com/s/i78SCER7VQSp6YXNRsNfJF7h3vl?domain=customervoice.microsoft.comGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.51
6706e721f2c06.exeGet hashmaliciousRemcosBrowse
  • 13.107.246.51
https://meinfokont.blogspot.com/danimbWRVaGhNb3NYNW1EUnN4RnFyVnNGN1dRZkJsdXlNU0VocXhlZ08zOCticlBmWUZaNURLa3ZsQ3ZRMmg2eGE5UlBjUmozbnlGYUNhUWRWdEdjZVJQOGl5dktSUDA4M2hzV3V2TU1LNWpaaWs9Get hashmaliciousPhisherBrowse
  • 13.107.246.51
A0u5s0P9I6e5j89977455863.htmlGet hashmaliciousHTMLPhisherBrowse
  • 13.107.246.51
https://www.baidu.com/link?url=7AgUGxkCgEsQdPm9T1PXcA0XghaPOWMLvdhGyyVngg844uS4x-KZy4IMqs1ov0OgdFqhAB-_X2oOV9exK4hWC_&wd=ZWxraW58WTI5eVpUUmpaUzVqYjIwPXxNYkdVSlpkdVROdWNyeW1UWU1laElVVW1QbGRGb0F5RmNLcWJadW1CT01YYw==Get hashmaliciousHTMLPhisherBrowse
  • 13.107.246.51
71UTOj3f3U.exeGet hashmaliciousFormBookBrowse
  • 13.107.246.51
GrsefI1q4s.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
  • 13.107.246.51
SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
  • 13.107.246.51

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.942073138185094
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'015'808 bytes
MD5:03d8f92e5dda974a1d749dccd37d6ee5
SHA1:996fb6c93e143ca871a41fb3ee7d40c2077a613f
SHA256:26533b228ccef5338c0a9d52cd414ec011f6d7c840090e7fc724f29ab048850c
SHA512:2d29d53964016ed23746fe962a7ea93b2e3ac6f886265c92bfbb48df924eae95ede67184195a5cf487dab1c1cdfc062f706172dc37586a6669c8ef93bb05bf44
SSDEEP:24576:JhEC5QWdsxd+31qbvscEfA3kqoDGunTh7Mh8uqf56Ip:ECfGx9LsM3kvGuntMh8uqfDp
TLSH:2B2533510993B4FCF59D6AB917ADFCF61984472C3AECD3BA1E4CE2974A01913E339224
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0xaa4000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:2eabe9054cad5152567f0699947a2c5b

Rich Headers

Programming Language:
  • [C++] VS2010 build 30319
  • [ASM] VS2010 build 30319
  • [ C ] VS2010 build 30319
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [LNK] VS2010 build 30319

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x10000x25b0000x22800ba76c3ad5bb67323b428b5d7c30e00c3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x25e0000x2a70000x2007581d341cd21cadc9e693ec4a070829eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qbpsrqul0x5050000x19e0000x19da009bf97dc15b7373c8b4bacd15bd979851False0.9952770722909305data7.926429059240434IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lsditjec0x6a30000x10000x600d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x6a40000x30000x2200d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

DNS Answers

TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
Oct 11, 2024 05:35:16.525473118 CEST1.1.1.1192.168.2.60x930fNo error (0)shed.dual-low.s-part-0023.t-0009.t-msedge.nets-part-0023.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
Oct 11, 2024 05:35:16.525473118 CEST1.1.1.1192.168.2.60x930fNo error (0)s-part-0023.t-0009.t-msedge.net13.107.246.51A (IP address)IN (0x0001)false

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly