Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe
Analysis ID:	1429060
MD5:	f70ea3e3ab37bd563f0af05b2c7ff141
SHA1:	bcc4a728fb036c8b9b85f92d7053e5e01376b5d7
SHA256:	ef74f6ab71ef01a876c621a62c2337a6d7784b147b0a88d413b3f9ec4d81e9e2
Tags:	exe

Errors No process behavior to analyse as no analysis process or sample was found Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Binary contains a suspicious time stamp

PE file overlay found

Classification

×

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Virustotal: Detection: 12%

Machine Learning detection for sample

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdbw source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe
Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdb source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

String found in binary or memory: https://download.wininvoice.vn/source/WinSignature%20Setup.exe?uid=c2e94d36fc0c3cb9b419c38eb9970b2b-

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: mal52.winEXE@0/0@0/0

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Virustotal: Detection: 12%

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdbw source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe
Source:	Binary string: J:\WINTECH\WinInvoice_SignerDownload\WinInvoice_SignerDownload\obj\Debug\WinInvoice_SignerDownload.pdb source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Source: SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe

Static PE information: 0xA38ABFCF [Mon Dec 11 16:54:39 2056 UTC]

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Timestomp	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe	13%	Virustotal		Browse
SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://download.wininvoice.vn/source/WinSignature%20Setup.exe?uid=c2e94d36fc0c3cb9b419c38eb9970b2b-	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://download.wininvoice.vn/source/WinSignature%20Setup.exe?uid=c2e94d36fc0c3cb9b419c38eb9970b2b-	SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1429060
Start date and time:	2024-04-20 13:32:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe
Detection:	MAL
Classification:	mal52.winEXE@0/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Unable to launch sample, stop analysis

Errors

No process behavior to analyse as no analysis process or sample was found
Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 23.76.32.107
Excluded domains from analysis (whitelisted): client.wns.windows.com, wildcard.weather.microsoft.com.edgekey.net, tile-service.weather.microsoft.com, e15275.g.akamaiedge.net

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.1702734608556336
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Riskware.00584baa1.19456.6684.exe
File size:	212'741 bytes
MD5:	f70ea3e3ab37bd563f0af05b2c7ff141
SHA1:	bcc4a728fb036c8b9b85f92d7053e5e01376b5d7
SHA256:	ef74f6ab71ef01a876c621a62c2337a6d7784b147b0a88d413b3f9ec4d81e9e2
SHA512:	3f1c261c5bd0bfc00dac87abafa0fdeb80d8452ce9702fb186759584315bdc546ab4cea3b26e72c9c3d1fc3395e90e6bfc717e60b50d9e13738af4e2c07373ac
SSDEEP:	768:Is8ZxGFfw7xgIHMHuEVpkWEKfbB+bBKF/8ncpROz3SeN/nB+bBKF/8nCpRpz:IrxGFY7vgk9uHWncSzSs/HWnC9
TLSH:	1924F6536F9D81ECF89CE5758C85F282C2A0EEC04C4B4966A6BDBE1DD9F35180E07792
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...P.................. ........@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x41ffa2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA38ABFCF [Mon Dec 11 16:54:39 2056 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ff4f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x1ab38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1fe98	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1dfa8	0x1e000	d62896828e36351e08dff488424c33d9	False	0.18076171875	data	3.3710362255920585	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x1ab38	0x1ac00	53c665c15c53aca1f3ea95bce7575bb6	False	0.13642010542927174	data	2.842775602241573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c000	0xc	0x200	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x201a0	0x1e28	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9598445595854922
RT_ICON	0x21fd8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.04601916479356442
RT_ICON	0x32810	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.08099136977207347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

⊘No system behavior

Disassembly

⊘No disassembly