Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZOquwQZvoa.exe

Overview

General Information

Sample name:ZOquwQZvoa.exe
renamed because original name is a hash value
Original sample name:ca4c78e5b146a4eddfcde39610ff1943.exe
Analysis ID:1432079
MD5:ca4c78e5b146a4eddfcde39610ff1943
SHA1:9ac38a6f5a9e77b724f4df58ad54ac5d90183e15
SHA256:1c3448b78546786cd23b0642700e6c05b49c786f1bbf2f14c60cfff2b378736f
Tags:32exeStealc
Errors
  • Unable to connect to analysis machine: w10x64, esxi07-W10x64_Office_01, timeout exceeded, no analysis of the sample was performed
  • No process behavior to analyse as no analysis process or sample was found

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: ZOquwQZvoa.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: ZOquwQZvoa.exeVirustotal: Detection: 41%Perma Link
Machine Learning detection for sample
Source: ZOquwQZvoa.exeJoe Sandbox ML: detected
Source: ZOquwQZvoa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\jozavuro\xorodilixit\54 m.pdb source: ZOquwQZvoa.exe
Source: Binary string: -C:\jozavuro\xorodilixit\54 m.pdb source: ZOquwQZvoa.exe
Source: ZOquwQZvoa.exeBinary or memory string: OriginalFilenameFirezer( vs ZOquwQZvoa.exe
Source: ZOquwQZvoa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.winEXE@0/0@0/0
Source: ZOquwQZvoa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZOquwQZvoa.exeVirustotal: Detection: 41%
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ZOquwQZvoa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\jozavuro\xorodilixit\54 m.pdb source: ZOquwQZvoa.exe
Source: Binary string: -C:\jozavuro\xorodilixit\54 m.pdb source: ZOquwQZvoa.exe
Source: ZOquwQZvoa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZOquwQZvoa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZOquwQZvoa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZOquwQZvoa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZOquwQZvoa.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ZOquwQZvoa.exe42%VirustotalBrowse
ZOquwQZvoa.exe100%AviraHEUR/AGEN.1361904
ZOquwQZvoa.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1432079
Start date and time:2024-04-26 12:00:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 34s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Sample name:ZOquwQZvoa.exe
renamed because original name is a hash value
Original Sample Name:ca4c78e5b146a4eddfcde39610ff1943.exe
Detection:MAL
Classification:mal60.winEXE@0/0@0/0

Errors

  • Unable to connect to analysis machine: w10x64, esxi07-W10x64_Office_01, timeout exceeded, no analysis of the sample was performed
  • No process behavior to analyse as no analysis process or sample was found

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.5021258330497504
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.53%
  • InstallShield setup (43055/19) 0.43%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ZOquwQZvoa.exe
File size:305'152 bytes
MD5:ca4c78e5b146a4eddfcde39610ff1943
SHA1:9ac38a6f5a9e77b724f4df58ad54ac5d90183e15
SHA256:1c3448b78546786cd23b0642700e6c05b49c786f1bbf2f14c60cfff2b378736f
SHA512:fd958e80f756c8002814d8e2a0616079ec3f7e37d4277fc1587f0975935836b523e3e611a5f2452fb474d9ca21231b93e18de79c61a5c57bc3dec36a0330bbf3
SSDEEP:3072:1HdB+Q00pIdkl+P0VD8Df5h8jYbSE7XGKICg6hty92rN3G9JlCUj6+PhXmSIN8nj:pNySl68srjg6/529PCUj6Gch8nPr
TLSH:D5545A0736E47C90E62247724F2EBAEC372DF9649F556B3722586F0B84702B0D263B56
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................q.......N.......O.......=.............X/K.......u.....X/p.....Rich............................PE..L.....=e...

Static PE Info

General

Entrypoint:0x404457
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x653DC88F [Sun Oct 29 02:50:55 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:fee2e01e9ecb27c28da2b6fc37f265e9

Entrypoint Preview

Instruction
call 00007F468C52F0C2h
jmp 00007F468C529245h
push 00000014h
push 00417FD8h
call 00007F468C52C4B8h
call 00007F468C52F293h
movzx esi, ax
push 00000002h
call 00007F468C52F055h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F468C529246h
xor ebx, ebx
jmp 00007F468C529275h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F468C52922Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F468C52921Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F468C52924Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F468C52B68Fh
test eax, eax
jne 00007F468C52924Ah
push 0000001Ch
call 00007F468C529321h
pop ecx
call 00007F468C52AC42h
test eax, eax
jne 00007F468C52924Ah
push 00000010h
call 00007F468C529310h
pop ecx
call 00007F468C52F0CEh
and dword ptr [ebp-04h], 00000000h
call 00007F468C52D471h
test eax, eax
jns 00007F468C52924Ah
push 0000001Bh
call 00007F468C5292F6h
pop ecx
call dword ptr [004120B0h]
mov dword ptr [04022184h], eax
call 00007F468C52F0E9h
mov dword ptr [004346ECh], eax
call 00007F468C52ECA6h
test eax, eax
jns 00007F468C52924Ah

Rich Headers

Programming Language:
  • [ASM] VS2013 build 21005
  • [ C ] VS2013 build 21005
  • [C++] VS2013 build 21005
  • [IMP] VS2008 SP1 build 30729
  • [RES] VS2013 build 21005
  • [LNK] VS2013 UPD5 build 40629

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x183e40x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c230000x167e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c3a0000x1380.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x121f00x38.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x178f80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x120000x17c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x100350x1020048af369956e9195ab73ea3822ff38852False0.6008660368217055data6.691582164808204IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x120000x6c720x6e008dbfb4f7efa534ed7af31cfbfd88dac2False0.38899147727272726data4.720676210345591IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x190000x3c091880x1b80050acfa3161c562e0cd2e1d6d1ab01b64unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x3c230000x167e00x168004d1e9abd966fdeb3d0460b1a77cafb1eFalse0.4259006076388889data4.907849938636764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x3c3a0000x13800x140015cbe146566e272d8f95752a554d23afFalse0.74765625data6.462484217359861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
AFX_DIALOG_LAYOUT0x3c390200xedata1.5714285714285714
RT_ICON0x3c236e00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.41647465437788017
RT_ICON0x3c23da80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.16410788381742739
RT_ICON0x3c263500x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.21365248226950354
RT_ICON0x3c267e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3664712153518124
RT_ICON0x3c276900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.45442238267148016
RT_ICON0x3c27f380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.45506912442396313
RT_ICON0x3c286000x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.4638728323699422
RT_ICON0x3c28b680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2683609958506224
RT_ICON0x3c2b1100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.3072232645403377
RT_ICON0x3c2c1b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.35106382978723405
RT_ICON0x3c2c6880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5690298507462687
RT_ICON0x3c2d5300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5437725631768953
RT_ICON0x3c2ddd80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.6184971098265896
RT_ICON0x3c2e3400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4632780082987552
RT_ICON0x3c308e80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4866322701688555
RT_ICON0x3c319900x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.4905737704918033
RT_ICON0x3c323180x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.44769503546099293
RT_ICON0x3c327e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.4240405117270789
RT_ICON0x3c336900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4833032490974729
RT_ICON0x3c33f380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.5835253456221198
RT_ICON0x3c346000x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.4913294797687861
RT_ICON0x3c34b680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.4701244813278008
RT_ICON0x3c371100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4878048780487805
RT_ICON0x3c381b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.5032786885245901
RT_ICON0x3c38b400x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.5514184397163121
RT_STRING0x3c392700x2bcdata0.49142857142857144
RT_STRING0x3c395300x2acdata0.48830409356725146
RT_GROUP_ICON0x3c327800x68data0.7115384615384616
RT_GROUP_ICON0x3c2c6200x68data0.6826923076923077
RT_GROUP_ICON0x3c267b80x30data0.9375
RT_GROUP_ICON0x3c38fa80x76data0.6779661016949152
RT_VERSION0x3c390300x23cdata0.5367132867132867

Imports

DLLImport
KERNEL32.dllGlobalMemoryStatus, GetLocaleInfoA, LocalCompact, InterlockedDecrement, GetComputerNameW, CreateHardLinkA, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, GetUserDefaultLangID, SetCommState, GlobalAlloc, LoadLibraryW, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, BuildCommDCBW, LoadLibraryA, SetCalendarInfoW, GetExitCodeThread, AddAtomW, CreateEventW, GlobalFindAtomW, GetOEMCP, LoadLibraryExA, VirtualProtect, GetConsoleProcessList, GetTempPathA, GetVolumeInformationW, HeapAlloc, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, HeapFree, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, GetStringTypeW, LoadLibraryExW, OutputDebugStringW, LCMapStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, CreateFileW

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly