Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DRAKETAX2023.EXE

Overview

General Information

Sample name:DRAKETAX2023.EXE
Analysis ID:1523773
MD5:5f78842863d480ceb757501585bbe0dd
SHA1:a3b6f8e2e7d32cfedc933b0b2a84832f81ab08cd
SHA256:2a3d437535627175832dfbbfb27c678512835d9d36f5ef94e68373cac72c6ec9

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

  • System is w10x64
  • DRAKETAX2023.EXE (PID: 7272 cmdline: "C:\Users\user\Desktop\DRAKETAX2023.EXE" MD5: 5F78842863D480CEB757501585BBE0DD)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: DRAKETAX2023.EXEStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: DRAKETAX2023.EXEStatic PE information: certificate valid
Source: DRAKETAX2023.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdbnnnGCTL source: DRAKETAX2023.EXE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb source: DRAKETAX2023.EXE
Source: DRAKETAX2023.EXEString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DRAKETAX2023.EXEString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: DRAKETAX2023.EXEString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: DRAKETAX2023.EXEString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DRAKETAX2023.EXEString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DRAKETAX2023.EXEString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: DRAKETAX2023.EXEString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DRAKETAX2023.EXEString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DRAKETAX2023.EXEString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DRAKETAX2023.EXEString found in binary or memory: http://ocsp.digicert.com0
Source: DRAKETAX2023.EXEString found in binary or memory: http://ocsp.digicert.com0A
Source: DRAKETAX2023.EXEString found in binary or memory: http://ocsp.digicert.com0C
Source: DRAKETAX2023.EXEString found in binary or memory: http://ocsp.digicert.com0X
Source: DRAKETAX2023.EXEString found in binary or memory: http://www.digicert.com/CPS0
Source: DRAKETAX2023.EXEString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: DRAKETAX2023.EXEString found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
Source: DRAKETAX2023.EXEString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: DRAKETAX2023.EXEStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: DRAKETAX2023.EXE, 00000000.00000002.1644002875.0000000000D3B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDrakeTax2023.dllF vs DRAKETAX2023.EXE
Source: DRAKETAX2023.EXEBinary or memory string: OriginalFilenameDrakeTax2023.dllF vs DRAKETAX2023.EXE
Source: DRAKETAX2023.EXEStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: clean2.winEXE@1/0@0/0
Source: DRAKETAX2023.EXEStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DRAKETAX2023.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: DRAKETAX2023.EXEString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: C:\Users\user\Desktop\DRAKETAX2023.EXESection loaded: kernel.appcore.dllJump to behavior
Source: DRAKETAX2023.EXEStatic PE information: certificate valid
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DRAKETAX2023.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: DRAKETAX2023.EXEStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdbnnnGCTL source: DRAKETAX2023.EXE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb source: DRAKETAX2023.EXE
Source: DRAKETAX2023.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DRAKETAX2023.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DRAKETAX2023.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DRAKETAX2023.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DRAKETAX2023.EXEStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.