Edit tour
Windows
Analysis Report
aMail_Ver1.exe
Overview
General Information
Detection
Score: | 29 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Compliance
Score: | 49 |
Range: | 0 - 100 |
Signatures
Installs new ROOT certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w7x64
- aMail_Ver1.exe (PID: 1520 cmdline:
"C:\Users\ user\Deskt op\aMail_V er1.exe" MD5: 06B0347315D3AB5385A0479134EC22CC)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: frack113: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |