Windows Analysis Report
fqfeeCJXIY.exe

Overview

General Information

Sample name: fqfeeCJXIY.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: f5d2b0198dad167dd8973bba80fdcf02013fc2e69f36866445602542087b6b8e
Analysis ID: 1541199
MD5: 3ec3f39d4f633ca3443c482f1562b07e
SHA1: 023f3586c6b1852db13efd0e28ba175aaa64611e
SHA256: f5d2b0198dad167dd8973bba80fdcf02013fc2e69f36866445602542087b6b8e

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Machine Learning detection for sample
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection

barindex
Source: fqfeeCJXIY.exe Joe Sandbox ML: detected
Source: fqfeeCJXIY.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: fqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.NewXing.com
Source: fqfeeCJXIY.exe, 00000000.00000000.2129019985.000000000059A000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs fqfeeCJXIY.exe
Source: fqfeeCJXIY.exe Binary or memory string: OriginalFilename vs fqfeeCJXIY.exe
Source: fqfeeCJXIY.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: fqfeeCJXIY.exe Static PE information: Section: 0ext ZLIB complexity 0.9960295962591241
Source: fqfeeCJXIY.exe Static PE information: Section: 5ata ZLIB complexity 1.00048828125
Source: fqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~.vbp@
Source: fqfeeCJXIY.exe, 00000000.00000002.2175371662.0000000000401000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~.vbp @m
Source: classification engine Classification label: sus22.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Mutant created: NULL
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe File created: C:\Users\user\AppData\Local\Temp\~DF590B5E50594AA91C.TMP Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe File read: C:\Users\user\Desktop\fqfeeCJXIY.exe Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: vb6chs.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: vb6chs.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Section loaded: wintypes.dll Jump to behavior
Source: initial sample Static PE information: section where entry point is pointing to: 3ext
Source: fqfeeCJXIY.exe Static PE information: section name: 0ext
Source: fqfeeCJXIY.exe Static PE information: section name: 1ata
Source: fqfeeCJXIY.exe Static PE information: section name: 2src
Source: fqfeeCJXIY.exe Static PE information: section name: 3ext
Source: fqfeeCJXIY.exe Static PE information: section name: 4data
Source: fqfeeCJXIY.exe Static PE information: section name: 5ata
Source: fqfeeCJXIY.exe Static PE information: section name: 0ext entropy: 7.999257185550183
Source: fqfeeCJXIY.exe Static PE information: section name: 3ext entropy: 7.904648337578353
Source: fqfeeCJXIY.exe Static PE information: section name: 5ata entropy: 7.994227836892481
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\fqfeeCJXIY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
No contacted IP infos