Windows Analysis Report
xxx.exe

Overview

General Information

Sample name: xxx.exe
Analysis ID: 1592728
MD5: 708adef6da5ac2ffee5f01f277560749
SHA1: 3dedb41674634e6b53dfaea704754cee7bddfbe3
SHA256: 0fec722a795adc9e313422c62e8ff0c7dac935dfef78da6560e38455a7739e4a
Tags: Backdoorexemalwareuser-Joker
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found API chain indicative of debugger detection
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Contains functionality to dynamically determine API calls
Detected TCP or UDP traffic on non-standard ports
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://156.245.12.57:8000/999.html Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: xxx.exe ReversingLabs: Detection: 60%
Source: xxx.exe Virustotal: Detection: 69% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: xxx.exe Joe Sandbox ML: detected

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8000
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49709 -> 156.245.12.57:8000
Source: unknown TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: unknown TCP traffic detected without corresponding DNS query: 156.245.12.57
Source: global traffic HTTP traffic detected: GET /999.html HTTP/1.1User-Agent: Microsoft helloHost: 156.245.12.57:8000Cache-Control: no-cache
Source: xxx.exe, 00000000.00000002.2373325221.0000000000749000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://156.245.12.57/
Source: xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://156.245.12.57/nes
Source: xxx.exe, 00000000.00000002.2373325221.0000000000722000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://156.245.12.57:8000/999.html
Source: xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://156.245.12.57:8000/999.html)
Source: xxx.exe, 00000000.00000002.2373325221.0000000000762000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://156.245.12.57:8000/999.html:
PE file contains more sections than normal
Source: xxx.exe Static PE information: Number of sections : 15 > 10
Source: classification engine Classification label: mal72.troj.evad.winEXE@2/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: xxx.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\xxx.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: xxx.exe ReversingLabs: Detection: 60%
Source: xxx.exe Virustotal: Detection: 69%
Source: unknown Process created: C:\Users\user\Desktop\xxx.exe "C:\Users\user\Desktop\xxx.exe"
Source: C:\Users\user\Desktop\xxx.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xxx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\xxx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_004017A0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,InternetConnectA,HttpOpenRequestA,malloc,InternetCloseHandle,FreeLibrary,malloc, 0_2_004017A0
PE file contains sections with non-standard names
Source: xxx.exe Static PE information: section name: .xdata
Source: xxx.exe Static PE information: section name: /4
Source: xxx.exe Static PE information: section name: /19
Source: xxx.exe Static PE information: section name: /31
Source: xxx.exe Static PE information: section name: /45
Source: xxx.exe Static PE information: section name: /57
Source: xxx.exe Static PE information: section name: /70

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 8000
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: xxx.exe, 00000000.00000002.2373325221.000000000077F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW1
Source: xxx.exe, 00000000.00000002.2373325221.000000000077F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: xxx.exe, 00000000.00000002.2373325221.0000000000722000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPrx%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\xxx.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_004017A0 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,InternetConnectA,HttpOpenRequestA,malloc,InternetCloseHandle,FreeLibrary,malloc, 0_2_004017A0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA, 0_2_00401180
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_00401F50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 0_2_00401F50
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_004092D0 SetUnhandledExceptionFilter,VirtualAlloc, 0_2_004092D0
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_004033A2 SetUnhandledExceptionFilter, 0_2_004033A2
Source: C:\Users\user\Desktop\xxx.exe Code function: 0_2_00401E70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00401E70
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592728 Sample: xxx.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 72 14 Antivirus detection for URL or domain 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Machine Learning detection for sample 2->18 20 2 other signatures 2->20 6 xxx.exe 7 2->6         started        process3 dnsIp4 12 156.245.12.57, 49709, 8000 SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK Seychelles 6->12 22 Found API chain indicative of debugger detection 6->22 10 conhost.exe 6->10         started        signatures5 process6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
156.245.12.57
 unknown Seychelles
133199 SONDERCLOUDLIMITED-AS-APSonderCloudLimitedHK false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://156.245.12.57:8000/999.html false
  • Avira URL Cloud: malware
 unknown