Windows Analysis Report
sq4TBEDm0b.exe

Overview

General Information

Sample name: sq4TBEDm0b.exe
renamed because original name is a hash value
Original sample name: 5f91a8ddc2c78cb7ddb971ab5ae4a2d4dd2596f5d4e7f017005eafbce8cdf8b3.exe
Analysis ID: 1544735
MD5: dde7257c1717972d4f8cf9a48288b894
SHA1: 8b458665cebef66127801864dc51c31138023580
SHA256: 5f91a8ddc2c78cb7ddb971ab5ae4a2d4dd2596f5d4e7f017005eafbce8cdf8b3
Tags: exeuser-FireDark
Errors
  • Corrupt sample or wrongly selected analyzer. Details: The %1 application cannot be run in Win32 mode.

Detection

Score: 22
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

AI detected suspicious sample
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file does not import any functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.5% probability
Source: sq4TBEDm0b.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Source: Binary string: utcutil.pdbGCTL source: sq4TBEDm0b.exe
Source: Binary string: OsfmConfig.pdb source: sq4TBEDm0b.exe
Source: Binary string: vstxraid.pdb source: sq4TBEDm0b.exe
Source: Binary string: utcutil.pdb source: sq4TBEDm0b.exe
PE file does not import any functions
Source: sq4TBEDm0b.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: sq4TBEDm0b.exe Binary or memory string: OriginalFilenameutcutil.dllj% vs sq4TBEDm0b.exe
Source: sq4TBEDm0b.exe Binary or memory string: OriginalFilenamevstxraid.sysb! vs sq4TBEDm0b.exe
Source: sq4TBEDm0b.exe Binary string: The BootDevice property indicates the name of the disk drive from which the Win32 operating system boots. /nExample: \\Device\Harddisk0.
Source: sq4TBEDm0b.exe Binary string: MSFT_CliPropertyBootDeviceThe BootDevice property indicates the name of the disk drive from which the Win32 operating system boots. /nExample: \\Device\Harddisk0.BootDevice
Source: classification engine Classification label: sus22.winEXE@1/0@0/0
Source: sq4TBEDm0b.exe String found in binary or memory: The local MS DTC detected that the MS DTC on %1 has the same unique identity as the local MS DTC. This means that the two MS DTC will not be able to communicate with each other. This problem typically occurs if one of the systems were cloned using unsupported cloning tools. MS DTC requires that the systems be cloned using supported cloning tools such as SYSPREP. Running 'msdtc -uninstall' and then 'msdtc -install' from the command prompt will fix the problem. Note: Running 'msdtc -uninstall' will result in the system losing all MS DTC configuration information.%0
Source: sq4TBEDm0b.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: sq4TBEDm0b.exe Static file information: File size 8388608 > 1048576
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: sq4TBEDm0b.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT
Source: sq4TBEDm0b.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: utcutil.pdbGCTL source: sq4TBEDm0b.exe
Source: Binary string: OsfmConfig.pdb source: sq4TBEDm0b.exe
Source: Binary string: vstxraid.pdb source: sq4TBEDm0b.exe
Source: Binary string: utcutil.pdb source: sq4TBEDm0b.exe
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: sq4TBEDm0b.exe Static PE information: real checksum: 0x2b247 should be: 0x80d479
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544735 Sample: sq4TBEDm0b.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 22 7 AI detected suspicious sample 2->7 5 sq4TBEDm0b.exe 2->5         started        process3
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true