Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exe

Overview

General Information

Sample name:173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exe
Analysis ID:1592277
MD5:042228f6c5f998df317c85c661c5c1e8
SHA1:b284cf8fcbdba6c6af9b9557bf901d58ccc7893b
SHA256:2ee6058e3aec96510a4424a31cfc021ed08c7bbe16a78c4ff07c087c8a65acd0
Tags:base64-decodedexeuser-abuse_ch
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Machine Learning detection for sample
PE file has a writeable .text section
PE file contains sections with non-standard names
PE file does not import any functions
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeJoe Sandbox ML: detected
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199817305251
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199817305251fc0stnMozilla/5.0
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeString found in binary or memory: https://t.me/w0ctzn
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeString found in binary or memory: https://t.me/w0ctznfc0stnMozilla/5.0

System Summary

barindex
PE file has a writeable .text section
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: No import functions for PE file found
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Section: .00cfg ZLIB complexity 1.015625
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: section name: .00cfg
Source: 173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exeStatic PE information: section name: .text entropy: 6.847674913217407

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception2
Software Packing		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://t.me/w0ctzn173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exefalse
    		high
    https://steamcommunity.com/profiles/76561199817305251173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exefalse
      		high
      https://t.me/w0ctznfc0stnMozilla/5.0173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exefalse
        		high
        https://steamcommunity.com/profiles/76561199817305251fc0stnMozilla/5.0173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exefalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1592277
          Start date and time:2025-01-16 00:40:10 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 1m 43s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:1
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exe
          Detection:MAL
          Classification:mal48.winEXE@0/0@0/0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Unable to launch sample, stop analysis

          Errors

          • No process behavior to analyse as no analysis process or sample was found
          • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Excluded IPs from analysis (whitelisted): 13.107.246.45
          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.28130490345544
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:173698434687b8a1fabde34850fca22a1750c6b07d6f37b5459bc550949ffaad053c75e773402.dat-decoded.exe
          File size:388'688 bytes
          MD5:042228f6c5f998df317c85c661c5c1e8
          SHA1:b284cf8fcbdba6c6af9b9557bf901d58ccc7893b
          SHA256:2ee6058e3aec96510a4424a31cfc021ed08c7bbe16a78c4ff07c087c8a65acd0
          SHA512:eb24c4352bf3ed70ac647685dbe894b2b8b7982bfcd9a94eb4da1d3f9c9e8ac4903326fb5463329ef892a8cbc1033f106e000404d185587e7b0a5b64542bd1cb
          SSDEEP:6144:N4QLzLWAw/5muUno6mlS4EgTvtu9AbA1V8neRBaHY/rEB+PvmR1vPzilWZKCN1J1:N4QyAy0gTvt2V8neCY/u+PvmR1vPzily
          TLSH:B8846D237E41C075C09519BF088D6B2C5FAB8C862F9096E3619DEC7DAC797CB9871782
          File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S.pg..........................................@..................................................................U..W....U..T..

          File Icon

          Icon Hash:90cececece8e8eb0

          Static PE Info

          General

          Entrypoint:0x42d98b
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:TERMINAL_SERVER_AWARE
          Time Stamp:0x6770A553 [Sun Dec 29 01:26:43 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:6
          OS Version Minor:0
          File Version Major:6
          File Version Minor:0
          Subsystem Version Major:6
          Subsystem Version Minor:0
          Import Hash:

          Entrypoint Preview

          Instruction
          add byte ptr [ebx+58EAF080h], cl
          add eax, esi
          push ebp
          push ebx
          call eax
          add esp, 08h
          xor ecx, ecx
          test eax, eax
          sete cl
          mov eax, dword ptr [00450C3Ch]
          mov ebp, FF1A3972h
          mov eax, dword ptr [eax+ecx*4+6458EAF4h]
          add eax, ebp
          mov bl, 01h
          cld
          cmp byte ptr [ebx], dl
          lodsd
          loopne 00007FA3C947FECDh
          aas
          mov eax, dword ptr [00450C30h]
          mov eax, dword ptr [eax+6458EAF4h]
          add eax, esi
          mov ecx, 64590C56h
          add ecx, dword ptr [00450C34h]
          mov edx, 00453F72h
          push ecx
          push edx
          call eax
          add esp, 08h
          mov eax, dword ptr [00450C30h]
          add esi, dword ptr [eax+6458EAF0h]
          mov eax, 00453F72h
          push eax
          push edi
          call esi
          add esp, 08h
          xor ecx, ecx
          test eax, eax
          add al, ah
          dec esi
          mov bh, 94h
          shl dword ptr [ecx+00450C3Ch], 03h
          lodsb
          mov ah, ch
          jmp far DB31h : E5FF6458h
          mov eax, ebx
          pop esi
          pop edi
          pop ebx
          pop ebp
          ret
          push ebp
          mov ebp, esp
          push ebx
          push edi
          push esi
          cmp byte ptr [eax], 00000013h
          lodsd
          in al, dx
          sub byte ptr [ebx+458D0875h], cl
          fadd st(0), st(7)
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [edx-67B3F479h], bh
          mov ecx, dword ptr [0044FBF0h]
          add ecx, edx
          push eax
          call ecx
          add esp, 04h
          mov ebx, eax
          lea eax, dword ptr [esi+0Ch]
          mov dword ptr [ebp-24h], eax
          mov eax, dword ptr [00450C50h]

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x455a80x57.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x455ff0x154.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000x1a8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x8ffc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x452080x5c.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x45a7c0x328.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x398ec0x39a00b2e8d9072e0ebeed2bbed298fcfb6efcFalse0.41876101545553146data6.847674913217407IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rdata0x3b0000xbb5c0xbc0092b203a1ad228a53169fd81b045347caFalse0.858876329787234data7.7770725921616615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x470000xd3880xb400d29b22d83d04b5c4a3fca104141af077False0.6513020833333333data7.036569328266093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .00cfg0x550000x40x2003aec7863ad8a33517ab8c157f8779a11False1.015625data7.227917384155917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .rsrc0x560000x1a80x2008a38c54e23d1b3a20bd379b355d8291eFalse0.650390625data5.459629961194925IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x570000x8ffc0x900032a4ddfd23e1944c32c059ecbe9b88f7False0.7531195746527778data7.39910164143284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Network Behavior

          No network behavior found

          Statistics

          No statistics

          System Behavior

          No system behavior

          Disassembly

          No disassembly