Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe

Overview

General Information

Sample name:172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe
Analysis ID:1532618
MD5:2b0c4f943bd5faa9ff1a19524dfae1fe
SHA1:9ddee389d010e6edf131d59e1bd9a25aae81ef87
SHA256:2ad0b05a69d900395e4ddb75a67eec129a60c7bc7407f05806204c286345c7dd
Tags:base64-decodedexeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file does not import any functions
Sample file is different than original file name gathered from version info

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeReversingLabs: Detection: 13%
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeVirustotal: Detection: 19%Perma Link
Machine Learning detection for sample
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeJoe Sandbox ML: detected
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic PE information: No import functions for PE file found
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeBinary or memory string: OriginalFilenameGerm.exe" vs 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeReversingLabs: Detection: 13%
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeVirustotal: Detection: 19%
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exeStatic PE information: section name: .text entropy: 7.125639902541728

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe14%ReversingLabs
172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe19%VirustotalBrowse
172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532618
Start date and time:2024-10-13 18:54:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):6.858318239996755
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
  • Win32 Executable (generic) a (10002005/4) 49.78%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
  • Generic Win/DOS Executable (2004/3) 0.01%
  • DOS Executable Generic (2002/1) 0.01%
File name:172883838590084c8801d02646b8e714feffae85926b0947ea91abe26d95df9563b13aa054698.dat-decoded.exe
File size:470'246 bytes
MD5:2b0c4f943bd5faa9ff1a19524dfae1fe
SHA1:9ddee389d010e6edf131d59e1bd9a25aae81ef87
SHA256:2ad0b05a69d900395e4ddb75a67eec129a60c7bc7407f05806204c286345c7dd
SHA512:ffaff454fd080bb5f874b1c88307f18804c6f211b4b49633ab294b592fe7615826197ab608e4ddcc63f1e5155daaf9deba66bf1d0d9e1d7cd59014683bce58d6
SSDEEP:6144:Aq5go3rTuM/F9G1HsHDSAFXKN/mZcU8f44GOkYHNjpSoAIhC5uhh:ngiHu4F2sj5XKScU8w4GOFtQ
TLSH:C9A47C1CCFE5D986DBBE01B028E21205F6B8D81D6C97D7299A0B64771B3BBB231454CE
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........."...0.............^.... ........@.. .......................@............@................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x440b5e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x67029BCA [Sun Oct 6 14:16:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:

Entrypoint Preview

Instruction
add al, 4Eh
popad
insd
adc byte ptr [ebx+6Fh], ah
jne 00007F40747E8F60h
je 00007F40747E8F64h
jns 00007F40747E8F39h
jc 00007F40747E8F53h
push esp
popad
jnc 00007F40747E8F5Dh
and al, byte ptr [ecx]
add byte ptr [ecx], al
add byte ptr [esi+ecx+04h], dl
dec esi
popad
insd
push ss
imul bp, word ptr [ebp+41h], 6464h
jc 00007F40747E8F57h
jnc 00007F40747E8F65h
inc ecx
jo 00007F40747E8F62h
insb
imul esp, dword ptr [ebx+61h], 6E6F6974h
push ds
add dword ptr [eax], eax
add dword ptr [eax], eax
push esp
push cs
add al, 4Eh
popad
insd
adc dh, byte ptr [edx+6Fh]
popad
insd
popad
jo 00007F40747E8F35h
jc 00007F40747E8F57h
popad
je 00007F40747E8F57h
inc esi
outsd
jc 00007F40747E8F5Fh
sbb eax, dword ptr [ecx]
add byte ptr [ecx], al
add byte ptr [esi+ecx+04h], dl
dec esi
popad
insd
punpckldq mm6, qword ptr [edx+61h]
outsb
push ebx
outsb
je 00007F40747E8F44h
arpl word ptr [edi+72h], bp
and al, byte ptr fs:[ecx]
add byte ptr [ecx], al
add byte ptr [esi+ecx+04h], dl
dec esi
popad
insd
push ss
je 00007F40747E8F5Bh
arpl word ptr [ebx+65h], bp
je 00007F40747E8F45h
arpl word ptr [edi+72h], bp
dec ebp
popad
jnc 00007F40747E8F67h
jc 00007F40747E8F57h
insd
outsb
je 00007F40747E8F14h
add dword ptr [eax], eax
add dword ptr [eax], eax
push esp
push cs
add al, 4Eh
popad
insd
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x40b040x57.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x420000x2f000.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x3eb640x3ec0057cdf80f91c1bbca5ca24cfa0a8e5de9False0.6671127988047809data7.125639902541728IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x420000x2f0000x2f000f74690c9642c5606c40f7bb4b5ca5d79False0.44218022772606386data6.304119182454095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x720000xc0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly