Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Evolution des moyens de trasport.exe

Overview

General Information

Sample Name:Evolution des moyens de trasport.exe
Analysis ID:385484
MD5:e31302978d2b065f030279b481e32344
SHA1:2677beebffc4358d31e7eecdafa29f9ca0fffbd9
SHA256:f238e71f708ab19db8bea0e3b69bdaa13d5b74ff6e658c00cec97ec212f22c58
Infos:

Most interesting Screenshot:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 0.0.Evolution des moyens de trasport.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: 0.2.Evolution des moyens de trasport.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
Source: Evolution des moyens de trasport.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Evolution des moyens de trasport.exeString found in binary or memory: http://127.0.0.1:
Source: Evolution des moyens de trasport.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Evolution des moyens de trasport.exeBinary or memory string: OriginalFileName vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exeBinary or memory string: OriginalFilename vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe, 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmpBinary or memory string: interval0\VarFileInfo\Translation \StringFileInfo\ OriginalFileName watch list kill white list kill f vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exe, 00000000.00000002.329695649.0000000000401000.00000020.00020000.sdmpBinary or memory string: OriginalFilename%q vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exeBinary or memory string: interval0\VarFileInfo\Translation \StringFileInfo\ OriginalFileName watch list kill white list kill f vs Evolution des moyens de trasport.exe
Source: Evolution des moyens de trasport.exeBinary or memory string: OriginalFilename%q vs Evolution des moyens de trasport.exe
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeSection loaded: utility.dll
Source: Evolution des moyens de trasport.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: clean4.winEXE@1/0@0/0
Source: Evolution des moyens de trasport.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: Evolution des moyens de trasport.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Evolution des moyens de trasport.exeStatic file information: File size 4903529 > 1048576
Source: Evolution des moyens de trasport.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b4000
Source: Evolution des moyens de trasport.exeStatic PE information: real checksum: 0x2219e3 should be: 0x4b9400
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_00409010 push B0005252h; iretd
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_00403013 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C148 push ebx; retn 0040h
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_00408172 push 0FC02F3Bh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C1C0 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C1D4 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C1E8 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C1FC push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C182 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C24C push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C260 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040626C push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C274 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C210 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_00406215 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040621E push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C224 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C238 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C2C4 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_004062D0 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C2D8 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_004062E4 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C2EC push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_004062F8 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040B286 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C288 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_00406294 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040B29A push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040C29C push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_004062A8 push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeCode function: 0_2_0040B2AE push 0040139Eh; ret
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Evolution des moyens de trasport.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330189742.0000000000953000.00000004.00000001.sdmpBinary or memory string: Progman UIq
Source: Evolution des moyens de trasport.exeBinary or memory string: Shell_TrayWnd
Source: Evolution des moyens de trasport.exeBinary or memory string: Progman
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330198231.000000000095E000.00000004.00000001.sdmpBinary or memory string: Program Manager CC
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330198231.000000000095E000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: Evolution des moyens de trasport.exe, 00000000.00000002.330189742.0000000000953000.00000004.00000001.sdmpBinary or memory string: Progmantd
Source: Evolution des moyens de trasport.exeBinary or memory string: shell_traywnd

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Software Packing1OS Credential DumpingProcess Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Evolution des moyens de trasport.exe6%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.Evolution des moyens de trasport.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
0.2.Evolution des moyens de trasport.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://127.0.0.1:0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://127.0.0.1:Evolution des moyens de trasport.exefalse
  • Avira URL Cloud: safe
unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:385484
Start date:12.04.2021
Start time:15:25:46
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 57s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Evolution des moyens de trasport.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.9%)
  • Quality average: 83.4%
  • Quality standard deviation: 28.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/385484/sample/Evolution des moyens de trasport.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.736162650882512
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Evolution des moyens de trasport.exe
File size:4903529
MD5:e31302978d2b065f030279b481e32344
SHA1:2677beebffc4358d31e7eecdafa29f9ca0fffbd9
SHA256:f238e71f708ab19db8bea0e3b69bdaa13d5b74ff6e658c00cec97ec212f22c58
SHA512:974c009edc9526444d790432120374a934588aad2e6ad6190211051ff88fb75398c3a8e6613d70b57722ae124edf4d6f324ace1e2657014caa2081e5fb16ab04
SSDEEP:98304:mcc0ccccoccccQccccfcccccvl/bPd4WH9LBZMTJSE7RjPrxjSfc9Jo3hr7Ohr7W:MdFNB/E7R7rxOfc9JK+ctj
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode...$....i.J.m...)zi.)zi.)zi.-Yd.(zi.Rich)zi.................PE..L....~.U.................@...@...............P....@.............W..........

File Icon

Icon Hash:c5ddccf8fcb2f870

Static PE Info

General

Entrypoint:0x401404
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x55C07EA6 [Tue Aug 4 08:58:14 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:0207dabeb8fc11ba1c54f26ac6d0c8df

Entrypoint Preview

Instruction
push 0040237Ch
call 00007F4F909B5C65h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
hlt
inc ebx
adc dword ptr [edi-57B857FFh], edx
popfd
mov byte ptr [9B0A62F6h], al
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], cl
dec ebp
outsd
jne 00007F4F909B5CDFh
push eax
dec esp
inc ecx
pop ecx
inc ebp
push edx
add byte ptr [ecx+00h], ch
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [ecx], dh
add byte ptr [ebx+edi*4+41h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1b4b240x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c10000x67508.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2200x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x1b3e140x1b4000False0.185924285049data3.89114007151IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x1b50000xb2d40x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x1c10000x675080x68000False0.160163292518data4.48340916271IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x21c3c00xa068data
RT_ICON0x21bd580x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 33023, next used block 32512
RT_ICON0x21ba700x2e8data
RT_ICON0x21b9480x128GLS_BINARY_LSB_FIRST
RT_ICON0x2095200x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
RT_ICON0x2086780xea8data
RT_ICON0x207dd00x8a8data
RT_ICON0x2078680x568GLS_BINARY_LSB_FIRST
RT_ICON0x1c58400x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
RT_ICON0x1c32980x25a8data
RT_ICON0x1c21f00x10a8data
RT_ICON0x1c1d880x468GLS_BINARY_LSB_FIRST
RT_STRING0x2264280xe0dataEnglishUnited States
RT_GROUP_ICON0x1c1cd80xb0data
RT_VERSION0x1c13900x948dataEnglishUnited States
RT_MANIFEST0x2265080x2000XML 1.0 document, ASCII text, with CRLF, CR line terminatorsEnglishUnited States

Imports

DLLImport
MSVBVM60.DLLEVENT_SINK_GetIDsOfNames, MethCallEngine, EVENT_SINK_Invoke, Zombie_GetTypeInfo, EVENT_SINK2_Release, EVENT_SINK_AddRef, DllFunctionCall, Zombie_GetTypeInfoCount, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler, ProcCallEngine, EVENT_SINK2_AddRef

Version Infos

DescriptionData
Translation0x0409 0x04b0
LegalCopyright2020
InternalNameEvolution des moyens de trasport
FileVersion0.0.0.0
CompanyNametechno-flash.com
LegalTrademarks
Comments
ProductNameAssocier des produits un besoin
ProductVersion0.0.0.0
FileDescription
OriginalFilenameEvolution des moyens de trasport.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: Evolution des moyens de trasport.exe PID: 1256 Parent PID: 5804

General

Start time:15:26:36
Start date:12/04/2021
Path:C:\Users\user\Desktop\Evolution des moyens de trasport.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\Evolution des moyens de trasport.exe'
Imagebase:0x400000
File size:4903529 bytes
MD5 hash:E31302978D2B065F030279B481E32344
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Reputation:low

Disassembly

Code Analysis

Reset < >