Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a7L79MRSDX.exe

Overview

General Information

Sample name:a7L79MRSDX.exe
renamed because original name is a hash value
Original sample name:a9b0c24d41e753b3933a42ddb331678e.exe
Analysis ID:1417237
MD5:a9b0c24d41e753b3933a42ddb331678e
SHA1:7be3b45cbb0fc93d249b51eef8d898f9349253be
SHA256:e2e6b7f0b568d699d50c8f4cc9423d0078822026f5e33f155334b3ddc8d65988
Tags:exe
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file contains an invalid checksum
PE file overlay found
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: a7L79MRSDX.exeReversingLabs: Detection: 52%
Machine Learning detection for sample
Source: a7L79MRSDX.exeJoe Sandbox ML: detected
Source: a7L79MRSDX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\vof_38\kuko falaribeme\2\jowatofis\sixilakel\bopubumavo mera.pdb source: a7L79MRSDX.exe
Source: Binary string: C:\vof_38\kuko falaribeme\2\jowatofis\sixilakel\bopubumavo mera.pdb source: a7L79MRSDX.exe
Source: a7L79MRSDX.exeStatic PE information: Data appended to the last section found
Source: a7L79MRSDX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: a7L79MRSDX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: a7L79MRSDX.exeReversingLabs: Detection: 52%
Source: a7L79MRSDX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vof_38\kuko falaribeme\2\jowatofis\sixilakel\bopubumavo mera.pdb source: a7L79MRSDX.exe
Source: Binary string: C:\vof_38\kuko falaribeme\2\jowatofis\sixilakel\bopubumavo mera.pdb source: a7L79MRSDX.exe
Source: a7L79MRSDX.exeStatic PE information: real checksum: 0x5af94 should be: 0x47e1e

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
a7L79MRSDX.exe53%ReversingLabsWin32.Trojan.Glupteba
a7L79MRSDX.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1417237
Start date and time:2024-03-28 19:57:13 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:a7L79MRSDX.exe
renamed because original name is a hash value
Original Sample Name:a9b0c24d41e753b3933a42ddb331678e.exe
Detection:MAL
Classification:mal52.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • VT rate limit hit for: a7L79MRSDX.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.0524521239881635
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.94%
  • Clipper DOS Executable (2020/12) 0.02%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • VXD Driver (31/22) 0.00%
File name:a7L79MRSDX.exe
File size:245'567 bytes
MD5:a9b0c24d41e753b3933a42ddb331678e
SHA1:7be3b45cbb0fc93d249b51eef8d898f9349253be
SHA256:e2e6b7f0b568d699d50c8f4cc9423d0078822026f5e33f155334b3ddc8d65988
SHA512:61ffe41290bff5e5bae1b2bb4892db9df4bc52863d369e5c8ade45c4f6c0897e2ff4a88430a272975221dbd846169663ca82e53f06fe1aa546a8eb70a8d2f4e9
SSDEEP:3072:reCgdXDHFcmbzx+dUQIiXUcOoPMDS4NQQPwXwKmPht9YKwfurDnRL:rwD1CULaMDS4NpUtmJ5wIL
TLSH:5234CF12B6D3C032E9B302721CA49E41463FFDB74DB15A5737D8660D4AB46D0AB36BA2
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L...s.;c...........

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x403e66
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x633B1F73 [Mon Oct 3 17:44:19 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:83f60ac3c0aa9a7a804ae19989ee18ed

Entrypoint Preview

Instruction
call 00007FA7987E85A2h
jmp 00007FA7987E2FE5h
push 00000014h
push 00417758h
call 00007FA7987E62F9h
call 00007FA7987E8773h
movzx esi, ax
push 00000002h
call 00007FA7987E8535h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007FA7987E2FE6h
xor ebx, ebx
jmp 00007FA7987E3015h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FA7987E2FCDh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FA7987E2FBFh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007FA7987E2FEBh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007FA7987E7FA8h
test eax, eax
jne 00007FA7987E2FEAh
push 0000001Ch
call 00007FA7987E30C1h
pop ecx
call 00007FA7987E5448h
test eax, eax
jne 00007FA7987E2FEAh
push 00000010h
call 00007FA7987E30B0h
pop ecx
call 00007FA7987E85AEh
and dword ptr [ebp-04h], 00000000h
call 00007FA7987E75DCh
test eax, eax
jns 00007FA7987E2FEAh
push 0000001Bh
call 00007FA7987E3096h
pop ecx
call dword ptr [004100C0h]
mov dword ptr [00AE3550h], eax
call 00007FA7987E85C9h
mov dword ptr [0043CDACh], eax
call 00007FA7987E7F6Ch
test eax, eax
jns 00007FA7987E2FEAh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x17b640x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e40000x12290.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x102000x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x170580x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x100000x19c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xef800xf0009b5e659a9d19e833fcea657713bcb49fFalse0.6001790364583334data6.717297530344267IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x100000x84de0x8600993ab1f75cc83961f5b80acb54d582a4False0.44834421641791045data5.073037261104227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x190000x6ca5540x23e008993bcdfe8938f5a40645fbb50f6fda8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x6e40000x122900x124001cc6eb4d8b4ddc19056355e88e6cbdbcFalse0.2830188679245283data2.247764929847721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
0x6ee0f00x9e7emptyRomanianRomania0
RT_CURSOR0x6eead80xea8empty0
RT_CURSOR0x6ef9800x8a8empty0
RT_CURSOR0x6f02280x568empty0
RT_CURSOR0x6f07c00x130empty0
RT_CURSOR0x6f08f00xb0empty0
RT_CURSOR0x6f09c80xea8empty0
RT_CURSOR0x6f18700x8a8empty0
RT_CURSOR0x6f21180x568empty0
RT_CURSOR0x6f26b00xea8empty0
RT_CURSOR0x6f35580x8a8empty0
RT_CURSOR0x6f3e000x568empty0
RT_ICON0x6e47b00x6c8emptyRomanianRomania0
RT_ICON0x6e4e780x25a8emptyRomanianRomania0
RT_ICON0x6e74200x468emptyRomanianRomania0
RT_ICON0x6e78b80xea8emptyRomanianRomania0
RT_ICON0x6e87600x8a8emptyRomanianRomania0
RT_ICON0x6e90080x6c8emptyRomanianRomania0
RT_ICON0x6e96d00x568emptyRomanianRomania0
RT_ICON0x6e9c380x25a8emptyRomanianRomania0
RT_ICON0x6ec1e00x10a8emptyRomanianRomania0
RT_ICON0x6ed2880x988emptyRomanianRomania0
RT_ICON0x6edc100x468emptyRomanianRomania0
RT_STRING0x6f45900x326emptyRomanianRomania0
RT_STRING0x6f48b80x312emptyRomanianRomania0
RT_STRING0x6f4bd00x78aemptyRomanianRomania0
RT_STRING0x6f53600x63eemptyRomanianRomania0
RT_STRING0x6f59a00x5aeemptyRomanianRomania0
RT_STRING0x6f5f500x340emptyRomanianRomania0
RT_GROUP_CURSOR0x6f07900x30empty0
RT_GROUP_CURSOR0x6f09a00x22empty0
RT_GROUP_CURSOR0x6f26800x30empty0

Imports

DLLImport
KERNEL32.dllInterlockedIncrement, SetConsoleTextAttribute, ReadConsoleA, GetCurrentProcess, CreateDirectoryW, GetFileAttributesExA, GetTickCount, GetCommConfig, GetWindowsDirectoryA, GlobalAlloc, GetVolumeInformationA, GetFirmwareEnvironmentVariableA, TerminateThread, GetLocaleInfoW, GetConsoleAliasExesLengthW, GetVersionExW, GetConsoleAliasW, SetSystemPowerState, GetModuleFileNameW, CreateFileW, GetHandleInformation, FindResourceA, GetCurrentDirectoryW, GetProcAddress, PeekConsoleInputW, RemoveDirectoryA, LoadLibraryA, WriteConsoleA, FindFirstVolumeMountPointW, GetNumberFormatW, QueryDosDeviceW, GlobalFindAtomW, VirtualProtect, _lopen, GetCurrentProcessId, ResetWriteWatch, AreFileApisANSI, OutputDebugStringW, HeapReAlloc, LoadLibraryExW, GetLastError, GetEnvironmentVariableW, MultiByteToWideChar, EncodePointer, DecodePointer, ReadFile, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, ExitProcess, GetModuleHandleExW, HeapSize, HeapFree, IsDebuggerPresent, SetFilePointerEx, GetStdHandle, GetFileType, GetStartupInfoW, HeapAlloc, GetProcessHeap, GetModuleFileNameA, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LCMapStringW, SetStdHandle, WriteConsoleW, CloseHandle
USER32.dllCharUpperBuffW, ChangeMenuA, CharLowerA, DrawAnimatedRects
ADVAPI32.dllReadEventLogA

Possible Origin

Language of compilation systemCountry where language is spokenMap
RomanianRomania

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly