Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RMMx8h5mVJ.exe

Overview

General Information

Sample name:RMMx8h5mVJ.exe
(renamed file extension from mem to exe, renamed because original name is a hash value)
Original sample name:9815aa1b29b86664bd51da7a5b8d173c3fbaf45b5efee95bc16bca411317e200.mem
Analysis ID:1545104
MD5:9c0551e383e5b58351ecd3479e4a1270
SHA1:88aa10dc2b5ad18ad24baa81cecc4608090d2d55
SHA256:9815aa1b29b86664bd51da7a5b8d173c3fbaf45b5efee95bc16bca411317e200
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Yara detected WebBrowserPassView password recovery tool
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RMMx8h5mVJ.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: RMMx8h5mVJ.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: RMMx8h5mVJ.exeVirustotal: Detection: 44%Perma Link
    Machine Learning detection for sample
    Source: RMMx8h5mVJ.exeJoe Sandbox ML: detected
    Source: RMMx8h5mVJ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: RMMx8h5mVJ.exeString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
    Source: RMMx8h5mVJ.exeString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
    Source: RMMx8h5mVJ.exeString found in binary or memory: http://www.nirsoft.net/
    Source: RMMx8h5mVJ.exeStatic PE information: No import functions for PE file found
    Source: RMMx8h5mVJ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    Source: classification engineClassification label: mal64.troj.winEXE@0/0@0/0
    Source: RMMx8h5mVJ.exeVirustotal: Detection: 44%
    Source: initial sampleStatic PE information: section where entry point is pointing to: .MPRESS2
    Source: RMMx8h5mVJ.exeStatic PE information: real checksum: 0x36621 should be: 0x86c43
    Source: RMMx8h5mVJ.exeStatic PE information: section name: .MPRESS1
    Source: RMMx8h5mVJ.exeStatic PE information: section name: .MPRESS2

    Stealing of Sensitive Information

    barindex
    Yara detected WebBrowserPassView password recovery tool
    Source: Yara matchFile source: RMMx8h5mVJ.exe, type: SAMPLE

    Mitre Att&ck Matrix

    No Mitre Att&ck techniques found

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    RMMx8h5mVJ.exe44%VirustotalBrowse
    RMMx8h5mVJ.exe100%AviraTR/Patched.Ren.Gen
    RMMx8h5mVJ.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.nirsoft.net/0%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.nirsoft.net/RMMx8h5mVJ.exefalseunknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1545104
    Start date and time:2024-10-30 05:34:42 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 31s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:0
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:RMMx8h5mVJ.exe
    (renamed file extension from mem to exe, renamed because original name is a hash value)
    Original Sample Name:9815aa1b29b86664bd51da7a5b8d173c3fbaf45b5efee95bc16bca411317e200.mem
    Detection:MAL
    Classification:mal64.troj.winEXE@0/0@0/0
    Cookbook Comments:
    • Unable to launch sample, stop analysis

    Errors

    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
    Entropy (8bit):5.623720644346912
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:RMMx8h5mVJ.exe
    File size:491'520 bytes
    MD5:9c0551e383e5b58351ecd3479e4a1270
    SHA1:88aa10dc2b5ad18ad24baa81cecc4608090d2d55
    SHA256:9815aa1b29b86664bd51da7a5b8d173c3fbaf45b5efee95bc16bca411317e200
    SHA512:74bf389dd2f5281ef9e08690e30bea7532a861771f83fa139f1ff562e8c56ebecb197c8d6824c86f375857055001981f96a9d064ef50a7dabfa1f919e033dc34
    SSDEEP:6144:zE+Z7EAXrvPRIxK0zBL/TIDC2dL3RltnfoBglM7zMUdsvk3zRAtV6:LZ7FXrPy4ix+LBltsgK7zXIq
    TLSH:C1A4AE13F3D28036E8A70570466B5B36EEFABA201235995757D40C89AEB16D2F73E307
    File Content Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L......^............................tb............@.................................!f........... ...........................`..t....p.....................................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x476274
    Entrypoint Section:.MPRESS2
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
    DLL Characteristics:
    Time Stamp:0x5ECBB413 [Mon May 25 12:03:31 2020 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:

    Entrypoint Preview

    Instruction
    push FFFFFFFBh
    push edi
    push ebx
    or eax, FFFFFFFFh
    call 00007F07507AD3EFh
    xor eax, eax
    add esp, 1Ch
    cmp dword ptr [ebp+08h], 18h
    sete al
    push eax
    push 0000007Ah
    mov eax, ebx
    call 00007F07507AD028h
    pop ecx
    pop ecx
    jmp 00007F07507B9725h
    inc dword ptr [ebx+40h]
    push dword ptr [ebp+10h]
    push dword ptr [ebp-04h]
    call 00007F07507B5513h
    push dword ptr [ebp+14h]
    push dword ptr [ebp-04h]
    call 00007F07507B5508h
    push dword ptr [ebp+18h]
    push dword ptr [ebp-04h]
    call 00007F07507B54FDh
    add esp, 18h
    pop edi
    pop esi
    pop ebx
    leave
    ret
    test ecx, ecx
    jl 00007F07507B9749h
    cmp ecx, 01h
    je 00007F07507B9744h
    mov edx, dword ptr [esi]
    mov dword ptr [eax], esi
    mov edx, dword ptr [edx+08h]
    shl ecx, 04h
    mov ecx, dword ptr [ecx+edx]
    mov dword ptr [eax+04h], ecx
    mov ecx, dword ptr [esp+04h]
    mov dword ptr [eax+08h], ecx
    mov ecx, dword ptr [esp+08h]
    mov dword ptr [eax+0Ch], ecx
    xor eax, eax
    inc eax
    ret
    xor eax, eax
    ret
    push ebp
    mov ebp, esp
    and esp, FFFFFFF8h
    sub esp, 0Ch
    push ebx
    mov ebx, dword ptr [ebp+0Ch]
    test ebx, ebx
    push esi
    push edi
    je 00007F07507B978Dh
    mov edi, dword ptr [ebp+08h]
    mov eax, dword ptr [edi+04h]
    and dword ptr [esp+10h], 00000000h
    cmp word ptr [ebx], 0000h
    mov dword ptr [esp+14h], eax
    lea esi, dword ptr [ebx+08h]
    jle 00007F07507B9775h
    mov ecx, dword ptr [esi]
    test ecx, ecx
    jne 00007F07507B9734h
    mov eax, dword ptr [edi]
    push dword ptr [esp+14h]
    mov edx, dword ptr [eax]
    call 00007F075079F7DCh
    pop ecx
    mov dword ptr [esi], eax
    jmp 00007F07507B972Fh
    mov edx, dword ptr [esp+14h]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x760000x274.MPRESS2
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x770000x51c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x760f00x58.MPRESS2
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .MPRESS10x10000x750000x2f6004c225c6a5406c84558bda33bf509f7d2False0.6333793700527705data6.527828526200042IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .MPRESS20x760000xdde0xe008ca10ace9236842cc4b03438b33b70c5False0.73828125data6.3834267429884735IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rsrc0x770000x51c0x60012af0b33bec010bf69ffb53807d92ef7False0.80078125data6.434521789694587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Network Behavior

    No network behavior found

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly