Loading ...

Analysis Report http://a46.bulehero.in/download.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:102164
Start date:09.01.2019
Start time:16:52:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://a46.bulehero.in/download.exe
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.win@3/8@1/1
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold720 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsObfuscated Files or Information1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol12

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://a46.bulehero.in/download.exeAvira URL Cloud: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\download.exe.n8vbqd2.partialAvira: Label: HEUR/AGEN.1011827
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\download[1].exeAvira: Label: HEUR/AGEN.1011827
Multi AV Scanner detection for domain / URLShow sources
Source: http://a46.bulehero.in/download.exevirustotal: Detection: 21%Perma Link
Source: http://a46.bulehero.in/download.exevirustotal: Detection: 21%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\download[1].exevirustotal: Detection: 78%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\download.exe.n8vbqd2.partialvirustotal: Detection: 78%Perma Link

Networking:

barindex
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 17 Dec 2018 23:50:15 GMTAccept-Ranges: bytesETag: "80d5c5416396d41:0"Server: Microsoft-IIS/7.5Date: Wed, 09 Jan 2019 15:52:53 GMTContent-Length: 322560Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2a 73 24 1c 6e 12 4a 4f 6e 12 4a 4f 6e 12 4a 4f 15 0e 46 4f 6d 12 4a 4f ed 0e 44 4f 45 12 4a 4f 58 34 40 4f a8 12 4a 4f 38 0d 59 4f 42 12 4a 4f 6e 12 4b 4f 08 10 4a 4f 0c 0d 59 4f 79 12 4a 4f 58 34 41 4f 30 12 4a 4f 86 0d 41 4f 3e 12 4a 4f 86 0d 40 4f 77 12 4a 4f 6e 12 4a 4f 27 12 4a 4f a9 14 4c 4f 6f 12 4a 4f 52 69 63 68 6e 12 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 37 36 1
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49793 -> 139.162.85.79:80
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /download.exe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: a46.bulehero.inConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: a46.bulehero.in

System Summary:

barindex
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: download[1].exe.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.990717976238
Source: download.exe.n8vbqd2.partial.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.990717976238
Classification labelShow sources
Source: classification engineClassification label: mal72.win@3/8@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB67EECB8242C8AF6.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2336 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2336 CREDAT:17410 /prefetch:2Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: download[1].exe.3.drStatic PE information: section name: UPX2
Source: download.exe.n8vbqd2.partial.3.drStatic PE information: section name: UPX2
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\download.exe.n8vbqd2.partialJump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\download[1].exeJump to dropped file

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 102164 URL: http://a46.bulehero.in/download.exe Startdate: 09/01/2019 Architecture: WINDOWS Score: 72 21 Multi AV Scanner detection for domain / URL 2->21 23 Antivirus detection for URL or domain 2->23 25 Antivirus detection for dropped file 2->25 27 Multi AV Scanner detection for dropped file 2->27 6 iexplore.exe 8 65 2->6         started        process3 file4 13 download.exe.n8vbq...ial:Zone.Identifier, ASCII 6->13 dropped 9 iexplore.exe 27 6->9         started        process5 dnsIp6 19 a46.bulehero.in 139.162.85.79, 49793, 49794, 80 LINODE-APLinodeLLCUS Netherlands 9->19 15 C:\Users\...\download.exe.n8vbqd2.partial, PE32 9->15 dropped 17 C:\Users\user\AppData\...\download[1].exe, PE32 9->17 dropped file7

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
http://a46.bulehero.in/download.exe21%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\download.exe.n8vbqd2.partial100%AviraHEUR/AGEN.1011827
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\download[1].exe100%AviraHEUR/AGEN.1011827
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\download[1].exe79%virustotalBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\download.exe.n8vbqd2.partial79%virustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://a46.bulehero.in/download.exe21%virustotalBrowse
http://a46.bulehero.in/download.exe100%Avira URL Cloudmalware

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.