Windows Analysis Report
1234.exe

Overview

General Information

Sample name:	1234.exe
Analysis ID:	1562139
MD5:	e4836d25516a1658d3cbad157acaccb2
SHA1:	955149baa21b6ca3ba8a7716cd0d00db1f4d0cd0
SHA256:	18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1234.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 1234.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418450 FindFirstFileA,FindClose,	0_2_00418450
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004071A0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_004071A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046F5E5 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0046F5E5
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040FFE0 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_0040FFE0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_004234A0 ioctlsocket,recvfrom,

0_2_004234A0

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: 1234.exe

String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0042C540 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042C540

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0042C540 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042C540

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0042C6A0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042C6A0

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00472198 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_00472198
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418600 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00418600
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004168E0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	0_2_004168E0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0042ADA0 GetKeyState,GetKeyState,GetKeyState,CopyRect,	0_2_0042ADA0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00473CBF GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00473CBF

Detected potential crypto function

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00444050	0_2_00444050
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044C180	0_2_0044C180
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004482E0	0_2_004482E0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040E280	0_2_0040E280
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043A390	0_2_0043A390
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044C3B0	0_2_0044C3B0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004105F0	0_2_004105F0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00452620	0_2_00452620
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043A6C0	0_2_0043A6C0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044A790	0_2_0044A790
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043A850	0_2_0043A850
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004608A0	0_2_004608A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0041A990	0_2_0041A990
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00452AC0	0_2_00452AC0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00448AD0	0_2_00448AD0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043CABB	0_2_0043CABB
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418CC0	0_2_00418CC0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043ECC0	0_2_0043ECC0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00434C80	0_2_00434C80
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044ACA9	0_2_0044ACA9
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043CDED	0_2_0043CDED
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00436DF0	0_2_00436DF0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044CDF0	0_2_0044CDF0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B166	0_2_0044B166
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004271A0	0_2_004271A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004472E0	0_2_004472E0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043D352	0_2_0043D352
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B451	0_2_0044B451
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045B430	0_2_0045B430
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0047143C	0_2_0047143C
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00457530	0_2_00457530
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045D580	0_2_0045D580
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B604	0_2_0044B604
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046B6CE	0_2_0046B6CE
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00459740	0_2_00459740
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004677D6	0_2_004677D6
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B87E	0_2_0044B87E
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00447820	0_2_00447820
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043D8B0	0_2_0043D8B0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004518BE	0_2_004518BE
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00443910	0_2_00443910
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00421920	0_2_00421920
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045B9B0	0_2_0045B9B0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00411AE0	0_2_00411AE0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00451B0E	0_2_00451B0E
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00443C20	0_2_00443C20
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044BCB0	0_2_0044BCB0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00449F50	0_2_00449F50
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00457FD0	0_2_00457FD0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 00443350 appears 77 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 004430D0 appears 39 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 00442F40 appears 85 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 00461528 appears 92 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 004704FC appears 44 times

Uses 32bit PE files

Source: 1234.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0047264E FindResourceA,LoadResource,LockResource,

0_2_0047264E

Source: 1234.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1234.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\1234.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: textshaping.dll	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_004101E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,CLSIDFromString,UnRegisterTypeLib,

0_2_004101E0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00461528 push eax; ret		0_2_00461546
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045FD60 push eax; ret		0_2_0045FD8E

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040E280 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	0_2_0040E280
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045E3CF IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0045E3CF
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00413660 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	0_2_00413660
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00417AD0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	0_2_00417AD0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00413D30 IsIconic,IsZoomed,	0_2_00413D30

Source: C:\Users\user\Desktop\1234.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\1234.exe

API coverage: 3.0 %

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418450 FindFirstFileA,FindClose,	0_2_00418450
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004071A0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_004071A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046F5E5 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0046F5E5
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040FFE0 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_0040FFE0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_004101E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,CLSIDFromString,UnRegisterTypeLib,

0_2_004101E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_00435AE0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,

0_2_00435AE0

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046A4DD SetUnhandledExceptionFilter,		0_2_0046A4DD
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046A4EF SetUnhandledExceptionFilter,		0_2_0046A4EF

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_00461A8A GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_00461A8A

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0046A5EB GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0046A5EB

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0047919A GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_0047919A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true
time.windows.com	unknown	unknown

ID:	1562139
Product:	CloudBasic
Start time:	08:54:12
Start date:	25.11.2024
Sample:	1234.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e4836d25516a1658d3cbad157acaccb2
SHA1:	955149baa21b6ca3ba8a7716cd0d00db1f4d0cd0
SHA256:	18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
Filetype:	Win32 Executable (generic) a (10002005/4) 99.40%

Windows Analysis Report
1234.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report 1234.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
1234.exe