Windows Analysis Report
5dtLgMI0Rh.exe

Overview

General Information

Sample name:	5dtLgMI0Rh.exe renamed because original name is a hash value
Original sample name:	85962530c71cd31c102853d64a8829f93b63bd1406bdec537b9d8c200f8f0bcc.exe
Analysis ID:	1417123
MD5:	b341ac1a1a31d085c9ffdfd4b83c88b8
SHA1:	d6b65528e706585bba33060ef36b15c41c7c38db
SHA256:	85962530c71cd31c102853d64a8829f93b63bd1406bdec537b9d8c200f8f0bcc
Tags:	exesilentnight

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 5dtLgMI0Rh.exe	Virustotal: Detection: 33%			Perma Link
Source: 5dtLgMI0Rh.exe	ReversingLabs: Detection: 31%

Source: 5dtLgMI0Rh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Detected potential crypto function

Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E91E770	0_2_00007FF72E91E770
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E91A0A0	0_2_00007FF72E91A0A0
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E91FCB0	0_2_00007FF72E91FCB0
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E916900	0_2_00007FF72E916900
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E91C5A0	0_2_00007FF72E91C5A0
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E9269F0	0_2_00007FF72E9269F0
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E91DAC0	0_2_00007FF72E91DAC0
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E9166F0	0_2_00007FF72E9166F0
Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe	Code function: 0_2_00007FF72E914E20	0_2_00007FF72E914E20

Sample file is different than original file name gathered from version info

Source: 5dtLgMI0Rh.exe, 00000000.00000000.1971003376.00007FF72EB9E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCodeApp.exe, vs 5dtLgMI0Rh.exe
Source: 5dtLgMI0Rh.exe	Binary or memory string: OriginalFilenameCodeApp.exe, vs 5dtLgMI0Rh.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe

Section loaded: apphelp.dll

Jump to behavior

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: 5dtLgMI0Rh.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5dtLgMI0Rh.exe	Virustotal: Detection: 33%
Source: 5dtLgMI0Rh.exe	ReversingLabs: Detection: 31%

Source: 5dtLgMI0Rh.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 5dtLgMI0Rh.exe

Static file information: File size 2650112 > 1048576

Source: 5dtLgMI0Rh.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x260c00

Source: 5dtLgMI0Rh.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\5dtLgMI0Rh.exe

Code function: 0_2_00007FF72E9340C0 push rax; ret

0_2_00007FF72E9340CD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 5dtLgMI0Rh.exe	Binary or memory string: Myibywahyktefyoqemutziefygyqeqycizivomaqtyivripeherumo
Source: 5dtLgMI0Rh.exe	Binary or memory string: Ogpemuughehuittoohedogleiladyvdizyyqpuipvoqiuxybtunyimolroazensooqemugvesepelabiceapuczoakenuwnuapl
Source: 5dtLgMI0Rh.exe	Binary or memory string: Wisytyilkoqemuuty

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1417123
Product:	CloudBasic
Start time:	16:22:46
Start date:	28.03.2024
Sample:	5dtLgMI0Rh.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b341ac1a1a31d085c9ffdfd4b83c88b8
SHA1:	d6b65528e706585bba33060ef36b15c41c7c38db
SHA256:	85962530c71cd31c102853d64a8829f93b63bd1406bdec537b9d8c200f8f0bcc
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
5dtLgMI0Rh.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 5dtLgMI0Rh.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
5dtLgMI0Rh.exe