Analysis Report Evolution des moyens de trasport.exe

Overview

General Information

Sample Name:	Evolution des moyens de trasport.exe
Analysis ID:	385484
MD5:	e31302978d2b065f030279b481e32344
SHA1:	2677beebffc4358d31e7eecdafa29f9ca0fffbd9
SHA256:	f238e71f708ab19db8bea0e3b69bdaa13d5b74ff6e658c00cec97ec212f22c58
Infos:
Most interesting Screenshot:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Antivirus or Machine Learning detection for unpacked file

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus or Machine Learning detection for unpacked file

Source: 0.0.Evolution des moyens de trasport.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.Evolution des moyens de trasport.exe.400000.0.unpack	Avira: Label: TR/Dropper.VB.Gen

Compliance:

Uses 32bit PE files

Source: Evolution des moyens de trasport.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Evolution des moyens de trasport.exe

String found in binary or memory: http://127.0.0.1:

System Summary:

PE file contains strange resources

Source: Evolution des moyens de trasport.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Evolution des moyens de trasport.exe	Binary or memory string: OriginalFileName vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe	Binary or memory string: OriginalFilename vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe, 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmp	Binary or memory string: interval0\VarFileInfo\Translation \StringFileInfo\ OriginalFileName watch list kill white list kill f vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe, 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmp	Binary or memory string: OriginalFilename%q vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe	Binary or memory string: interval0\VarFileInfo\Translation \StringFileInfo\ OriginalFileName watch list kill white list kill f vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe	Binary or memory string: OriginalFilename%q vs Evolution des moyens de trasport.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe

Section loaded: utility.dll

Jump to behavior

Uses 32bit PE files

Source: Evolution des moyens de trasport.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: Evolution des moyens de trasport.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Evolution des moyens de trasport.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Evolution des moyens de trasport.exe

Static file information: File size 4903529 > 1048576

Source: Evolution des moyens de trasport.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b4000

Data Obfuscation:

PE file contains an invalid checksum

Source: Evolution des moyens de trasport.exe

Static PE information: real checksum: 0x2219e3 should be: 0x4b9400

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00409010 push B0005252h; iretd	0_2_00409015
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00403013 push 0040139Eh; ret	0_2_004030B7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C148 push ebx; retn 0040h	0_2_0040C149
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00408172 push 0FC02F3Bh; ret	0_2_004082A3
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1C0 push 0040139Eh; ret	0_2_0040C1D3
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1D4 push 0040139Eh; ret	0_2_0040C1E7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1E8 push 0040139Eh; ret	0_2_0040C1FB
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C1FC push 0040139Eh; ret	0_2_0040C20F
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C182 push 0040139Eh; ret	0_2_0040C1BF
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C24C push 0040139Eh; ret	0_2_0040C25F
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C260 push 0040139Eh; ret	0_2_0040C273
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040626C push 0040139Eh; ret	0_2_0040627F
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C274 push 0040139Eh; ret	0_2_0040C287
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C210 push 0040139Eh; ret	0_2_0040C223
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00406215 push 0040139Eh; ret	0_2_00406293
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040621E push 0040139Eh; ret	0_2_0040626B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C224 push 0040139Eh; ret	0_2_0040C237
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C238 push 0040139Eh; ret	0_2_0040C24B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C2C4 push 0040139Eh; ret	0_2_0040C2D7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062D0 push 0040139Eh; ret	0_2_004062E3
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C2D8 push 0040139Eh; ret	0_2_0040C2EB
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062E4 push 0040139Eh; ret	0_2_004062F7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C2EC push 0040139Eh; ret	0_2_0040C2FF
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062F8 push 0040139Eh; ret	0_2_0040630B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040B286 push 0040139Eh; ret	0_2_0040B299
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C288 push 0040139Eh; ret	0_2_0040C29B
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_00406294 push 0040139Eh; ret	0_2_004062A7
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040B29A push 0040139Eh; ret	0_2_0040B2AD
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040C29C push 0040139Eh; ret	0_2_0040C2AF
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_004062A8 push 0040139Eh; ret	0_2_004062BB
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Code function: 0_2_0040B2AE push 0040139Eh; ret	0_2_0040B2C1

Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Evolution des moyens de trasport.exe, 00000000.00000002.330189742.0000000000953000.00000004.00000001.sdmp	Binary or memory string: Progman UIq
Source: Evolution des moyens de trasport.exe	Binary or memory string: Shell_TrayWnd
Source: Evolution des moyens de trasport.exe	Binary or memory string: Progman
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330198231.000000000095E000.00000004.00000001.sdmp	Binary or memory string: Program Manager CC
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330198231.000000000095E000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330189742.0000000000953000.00000004.00000001.sdmp	Binary or memory string: Progmantd
Source: Evolution des moyens de trasport.exe	Binary or memory string: shell_traywnd

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	385484
Product:	CloudBasic
Start time:	15:25:46
Start date:	12.04.2021
Sample:	Evolution des moyens de trasport.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e31302978d2b065f030279b481e32344
SHA1:	2677beebffc4358d31e7eecdafa29f9ca0fffbd9
SHA256:	f238e71f708ab19db8bea0e3b69bdaa13d5b74ff6e658c00cec97ec212f22c58
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report Evolution des moyens de trasport.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map