Windows Analysis Report
RMMx8h5mVJ.exe

Overview

General Information

Sample name: RMMx8h5mVJ.exe
(renamed file extension from mem to exe, renamed because original name is a hash value)
Original sample name: 9815aa1b29b86664bd51da7a5b8d173c3fbaf45b5efee95bc16bca411317e200.mem
Analysis ID: 1545104
MD5: 9c0551e383e5b58351ecd3479e4a1270
SHA1: 88aa10dc2b5ad18ad24baa81cecc4608090d2d55
SHA256: 9815aa1b29b86664bd51da7a5b8d173c3fbaf45b5efee95bc16bca411317e200
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Yara detected WebBrowserPassView password recovery tool
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: RMMx8h5mVJ.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: RMMx8h5mVJ.exe Virustotal: Detection: 44% Perma Link
Machine Learning detection for sample
Source: RMMx8h5mVJ.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RMMx8h5mVJ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: RMMx8h5mVJ.exe String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: RMMx8h5mVJ.exe String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: RMMx8h5mVJ.exe String found in binary or memory: http://www.nirsoft.net/
PE file does not import any functions
Source: RMMx8h5mVJ.exe Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: RMMx8h5mVJ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal64.troj.winEXE@0/0@0/0
Source: RMMx8h5mVJ.exe Virustotal: Detection: 44%
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains an invalid checksum
Source: RMMx8h5mVJ.exe Static PE information: real checksum: 0x36621 should be: 0x86c43
PE file contains sections with non-standard names
Source: RMMx8h5mVJ.exe Static PE information: section name: .MPRESS1
Source: RMMx8h5mVJ.exe Static PE information: section name: .MPRESS2

Stealing of Sensitive Information
barindex
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: RMMx8h5mVJ.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1545104 Sample: RMMx8h5mVJ.mem Startdate: 30/10/2024 Architecture: WINDOWS Score: 64 5 Antivirus / Scanner detection for submitted sample 2->5 7 Multi AV Scanner detection for submitted file 2->7 9 Machine Learning detection for sample 2->9 11 Yara detected WebBrowserPassView password recovery tool 2->11
No contacted IP infos