Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe
Analysis ID:	1429057
MD5:	a4d73bcee78a6720b9fe2813ef126b86
SHA1:	2ad6ca33477b812b1da88cb8882ef72dc6162033
SHA256:	6c297636f162ba3bc73f683b832374461bd1b367470b9dfe2c50647fbf3c7e0f
Tags:	exe
Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Machine Learning detection for sample

Binary contains a suspicious time stamp

PE file overlay found

Classification

×

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdbw source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe
Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdb source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

String found in binary or memory: https://download.wininvoice.vn/source/WinSignature%20Setup.exe?uid=c2e94d36fc0c3cb9b419c38eb9970b2b-

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: sus21.winEXE@0/0@0/0

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdbw source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe
Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdb source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Source: SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe

Static PE information: 0xA38ABFCF [Mon Dec 11 16:54:39 2056 UTC]

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Timestomp	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://download.wininvoice.vn/source/WinSignature%20Setup.exe?uid=c2e94d36fc0c3cb9b419c38eb9970b2b-	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://download.wininvoice.vn/source/WinSignature%20Setup.exe?uid=c2e94d36fc0c3cb9b419c38eb9970b2b-	SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429057
Start date and time:	2024-04-20 13:32:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe
Detection:	SUS
Classification:	sus21.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, login.live.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.4928523681314045
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Riskware.00584baa1.29365.29466.exe
File size:	147'205 bytes
MD5:	a4d73bcee78a6720b9fe2813ef126b86
SHA1:	2ad6ca33477b812b1da88cb8882ef72dc6162033
SHA256:	6c297636f162ba3bc73f683b832374461bd1b367470b9dfe2c50647fbf3c7e0f
SHA512:	076a2790b95b072fe16304aa04ddf4f144fd96d55a2492e5c6532fce06f85bff4f5934fd1872535c8873f81b82f644a91d4429a66a9b5de6df204fabc0cdf663
SSDEEP:	768:Is8ZxGFfw7xgIHMHuEVpkWEKfbB+bBKF/8ncpROz3SeN/nB+bBKF/8n:IrxGFY7vgk9uHWncSzSs/HWn
TLSH:	90E318636F9D82ECF89CD5758C81F182C3A1EEC05C1B4966EABDBE1DD9B35180E03652
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...P.................. ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41ffa2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA38ABFCF [Mon Dec 11 16:54:39 2056 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ff4f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x1ab38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1fe98	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1dfa8	0x1e000	d62896828e36351e08dff488424c33d9	False	0.18076171875	data	3.3710362255920585	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x1ab38	0x1ac00	45317a0dd2be6c6776cb371b56fe0942	False	0.3266283122664091	data	3.697821240792632	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c000	0xc	0x200	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x201a0	0x1e28	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9598445595854922
RT_ICON	0x21fd8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.01059957857097248

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly