Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NSudo.exe

Overview

General Information

Sample name:NSudo.exe
Analysis ID:1562125
MD5:5cae01aea8ed390ce9bec17b6c1237e4
SHA1:3a80a49efaac5d839400e4fb8f803243fb39a513
SHA256:19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
Errors
  • Script error: Line 6118 (File "C:\Program Files (x86)\AutoIt3\Include\analysishelper.au3"): if StringLower(StringRight($path, 4)) == ".htm" or StringLower(StringRight($path, 5)) == ".html" or String
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: NSudo.exeReversingLabs: Detection: 52%
Source: NSudo.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: NSudo.exe
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: NSudo.exe
Source: NSudo.exeString found in binary or memory: https://forums.mydigitallife.net/threads/59268/
Source: NSudo.exeString found in binary or memory: https://github.com/M2Team/NSudo
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: NSudo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NSudo.exeReversingLabs: Detection: 52%
Source: NSudo.exeString found in binary or memory: -Help
Source: NSudo.exeString found in binary or memory: -Install
Source: NSudo.exeString found in binary or memory: -Help Show this content.
Source: NSudo.exeString found in binary or memory: -Install Copy NSudo to the Windows directory and add the context menu.
Source: NSudo.exeString found in binary or memory: -Help Affiche l'aide.
Source: NSudo.exeString found in binary or memory: -Install Copie NSudo dans le r
Source: NSudo.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: NSudo.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: NSudo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdbSS source: NSudo.exe
Source: Binary string: E:\Projects\NSudo\Output\Release\x64\NSudo.pdb source: NSudo.exe
Source: NSudo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NSudo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NSudo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NSudo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NSudo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		Path InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
NSudo.exe53%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://forums.mydigitallife.net/threads/59268/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://github.com/M2Team/NSudoNSudo.exefalse
    		high
    https://forums.mydigitallife.net/threads/59268/NSudo.exefalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1562125
    Start date and time:2024-11-25 08:35:18 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 38s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:0
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:NSudo.exe
    Detection:MAL
    Classification:mal48.winEXE@0/0@0/0
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Errors

    • Script error: Line 6118 (File "C:\Program Files (x86)\AutoIt3\Include\analysishelper.au3"): if StringLower(StringRight($path, 4)) == ".htm" or StringLower(StringRight($path, 5)) == ".html" or StringLower(StringRight($path, 6)) == ".xhtml" or StringLower(StringRight($path, 6)) == ".shtml" or or StringLower(StringRight($path, 4)) == ".svg" then if ^ ERROR Error: Error in expression.
    • No process behavior to analyse as no analysis process or sample was found

    Warnings

    • VT rate limit hit for: NSudo.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):6.2191709910374895
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:NSudo.exe
    File size:252'928 bytes
    MD5:5cae01aea8ed390ce9bec17b6c1237e4
    SHA1:3a80a49efaac5d839400e4fb8f803243fb39a513
    SHA256:19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
    SHA512:c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
    SSDEEP:3072:n3vg+rJrkQVOUPrxLExK08A+MQ20AFHxH32Hdxkq5:n3vg+rOgOyrNEI3AxQUHK
    TLSH:2D342A4A7E58C0B5D0A791F899438A82F7B1FC16073043BF13A972791F772B1BE2A651
    File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......( .<lA.olA.olA.o.(.nhA.olA.o[A.o>).noA.o>).nnA.o.'.nmA.o.'.niA.o>).nkA.o.(.nmA.o.(.n}A.o.(.nBA.o.'.nyA.olA.ox@.o.(.niA.o.(oomA.

    Static PE Info

    General

    Entrypoint:0x14001b3e0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x140000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x5C2A0B8A [Mon Dec 31 12:28:58 2018 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:55fa9bd502457bea13d3626a68dc1cad

    Entrypoint Preview

    Instruction
    dec eax
    sub esp, 28h
    call 00007F06710B870Ch
    dec eax
    add esp, 28h
    jmp 00007F06710B82C3h
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    dec eax
    sub esp, 48h
    call 00007F06710B09CCh
    mov dword ptr [esp+58h], eax
    call 00007F06710B2663h
    inc ebp
    xor ecx, ecx
    dec esp
    lea eax, dword ptr [esp+68h]
    cmp eax, 01h
    dec eax
    lea edx, dword ptr [esp+30h]
    dec eax
    lea eax, dword ptr [esp+58h]
    inc ecx
    sete cl
    dec eax
    mov dword ptr [esp+20h], eax
    dec eax
    lea ecx, dword ptr [esp+60h]
    call dword ptr [00003015h]
    dec eax
    add esp, 48h
    ret
    dec eax
    mov eax, dword ptr [00003011h]
    dec eax
    jmp eax
    int3
    int3
    int3
    int3
    int3
    int3
    xor eax, eax
    cmp dword ptr [0000FC98h], eax
    setne al
    ret
    int3
    int3
    int3
    int3
    mov dword ptr [00010B8Ah], 00000000h
    ret
    int3
    int3
    int3
    int3
    int3
    inc eax
    push ebx
    dec eax
    sub esp, 000005C0h
    mov ebx, ecx
    mov ecx, 00000017h
    call dword ptr [00002E22h]
    test eax, eax
    je 00007F06710B8426h
    mov ecx, ebx
    int 29h
    mov ecx, 00000003h
    call 00007F06710B83EDh
    xor edx, edx
    dec eax
    lea ecx, dword ptr [esp+000000F0h]
    inc ecx
    mov eax, 000004D0h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x293880xf0.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2f0000x113f8.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2d0000x1a1c.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x410000x2cc.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x234b00x54.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x236100x28.rdata
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x235100x100.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x600.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1cf480x1d0002bb6014f49dd048ba2659ec6fa8408e9False0.4616615032327586data6.274460021502248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x1e0000xc7060xc80018ecc7a2e5e307442685c841745b7954False0.34921875OpenPGP Public Key4.5347891656060115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x2b0000x17400xc00b0dcf4ba030cb5d2f42927ebe7055487False0.22330729166666666data3.947592449508497IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x2d0000x1a1c0x1c00c08072fef804c27fc3e537a6a8794a5aFalse0.4716796875data5.053135403745446IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .rsrc0x2f0000x113f80x114005b58a5b379d54d695d1d07df30e08922False0.23297384510869565data5.425036797515047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x410000x2cc0x400fb1887e4a47a9e6cdfe77e3e02953396False0.5107421875data4.33913742192629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    CONFIG0x2f5680x33fUnicode text, UTF-8 (with BOM) text, with CRLF line terminators0.26594464500601683
    STRING0x3b4c80x547Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5144337527757217
    STRING0x3d4f00x520Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40625
    STRING0x3e5680x5dcJSON data0.4266666666666667
    STRING0x3c4880x561Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseTaiwan0.5134350036310821
    STRING0x3bac80x9bfUnicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4220440881763527
    STRING0x3dab80xaafUnicode text, UTF-8 (with BOM) text, with CRLF line terminators0.34113345521023763
    STRING0x3ec000xcd8Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3524939172749392
    STRING0x3caa80xa45Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseTaiwan0.4138455686572841
    STRING0x3ba100xb2Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.9382022471910112
    STRING0x3da100xa7Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.9041916167664671
    STRING0x3eb480xb1ASCII text, with CRLF line terminators0.864406779661017
    STRING0x3c9f00xb2Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsChineseTaiwan0.9325842696629213
    RT_ICON0x2fa280x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.34308510638297873
    RT_ICON0x2fe900x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 00.261046511627907
    RT_ICON0x305480x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.23934426229508196
    RT_ICON0x30ed00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.1550187617260788
    RT_ICON0x31f780x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 00.13062130177514794
    RT_ICON0x339e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.12406639004149378
    RT_ICON0x35f880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 00.06654463863958432
    RT_ICON0x3a1b00x129bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9216880117572959
    RT_DIALOG0x2f4e00x84data0.7424242424242424
    RT_DIALOG0x2f8a80x180data0.5
    RT_GROUP_ICON0x3b4500x76data0.7542372881355932
    RT_VERSION0x3f8d80x2e8data0.4905913978494624
    RT_MANIFEST0x3fbc00x835XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2041), with CRLF line terminatorsEnglishUnited States0.32032365540218943

    Imports

    DLLImport
    KERNEL32.dllDeleteCriticalSection, WaitForSingleObjectEx, GetCurrentProcess, GetCurrentThreadId, ResumeThread, SetPriorityClass, OpenProcess, FreeLibrary, LoadLibraryW, MulDiv, CopyFileW, MoveFileExW, InitializeCriticalSectionEx, TerminateProcess, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, GetProcessHeap, HeapFree, HeapAlloc, OutputDebugStringW, InitializeSListHead, EnterCriticalSection, LeaveCriticalSection, DecodePointer, RaiseException, SetFileAttributesW, GetFileAttributesW, DeleteFileW, ExpandEnvironmentStringsW, GetCommandLineW, SizeofResource, LockResource, LoadResource, FindResourceExW, GetSystemWindowsDirectoryW, SleepEx, SetLastError, CloseHandle, VerifyVersionInfoW, GetModuleHandleW, VerSetConditionMask, MultiByteToWideChar, GetProcAddress, GetModuleFileNameW, GetTickCount64, QueryPerformanceCounter, GetLastError, GetSystemTimeAsFileTime, GetCurrentProcessId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, InitOnceExecuteOnce
    USER32.dllEndPaint, GetWindowTextW, GetClientRect, BeginPaint, LoadImageW, MonitorFromWindow, ChangeWindowMessageFilter, GetDC, SetWindowLongPtrW, UnregisterClassW, DialogBoxParamW, SendMessageW, SetWindowTextW, DrawIconEx, EndDialog, GetDlgItem
    GDI32.dllGetDeviceCaps
    COMDLG32.dllGetOpenFileNameW
    ADVAPI32.dllRegDeleteTreeW, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, SetTokenInformation, RevertToSelf, InitializeAcl, GetTokenInformation, GetLengthSid, GetAce, FreeSid, EqualSid, DuplicateTokenEx, CreateRestrictedToken, AllocateAndInitializeSid, AdjustTokenPrivileges, AddAce, AddAccessAllowedAce, OpenProcessToken, SetThreadToken, CreateProcessAsUserW, StartServiceW, QueryServiceStatusEx, OpenServiceW, OpenSCManagerW, CloseServiceHandle
    SHELL32.dllDragQueryFileW, DragFinish
    ole32.dllCoInitializeEx
    WTSAPI32.dllWTSQueryUserToken, WTSEnumerateProcessesW, WTSFreeMemory
    USERENV.dllDestroyEnvironmentBlock, CreateEnvironmentBlock
    msvcrt.dllabort, fseek, __C_specific_handler, _cexit, ??0exception@@QEAA@AEBQEBD@Z, __setusermatherr, _initterm, _initterm_e, exit, _exit, _c_exit, __wgetmainargs, atexit, _wcmdln, _lock, _unlock, _fseeki64, ?terminate@@YAXXZ, _strtoi64, _strtoui64, ??0exception@@QEAA@XZ, ??0exception@@QEAA@AEBV0@@Z, ??1exception@@UEAA@XZ, ?what@exception@@UEBAPEBDXZ, _XcptFilter, fsetpos, fwrite, memmove, memcpy, ??2@YAPEAX_K@Z, memset, setlocale, ??3@YAXPEAX@Z, memcmp, localeconv, ungetc, setvbuf, fread, fputc, fgetpos, fgetc, fflush, fclose, strtod, _set_fmode, malloc, free, _wcsicmp, wcsrchr, _errno, ??_V@YAXPEAX@Z, __CxxFrameHandler3, _CxxThrowException, _wcsnicmp, _iob, _vsnprintf, __set_app_type, _commode, wcslen, __dllonexit, wcsstr, _wfsopen
    msvcp60.dll_Toupper, _Tolower, _Getctype

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseTaiwan
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    No statistics

    System Behavior

    No system behavior

    Disassembly

    No disassembly