Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ryxu0LoCH3.exe

Overview

General Information

Sample Name:ryxu0LoCH3.exe
Analysis ID:490252
MD5:0ad6beff5dc6704a93dc36ea43dc739c
SHA1:b4536a89dbaa58deb5c5ef299d71982259521d91
SHA256:6b364b7c12a4e4d7f7275006be3adc70984086843f1cd013b2745ecbbb8fca00
Tags:exe
Infos:
Errors
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Machine Learning detection for sample
PE file overlay found
Uses 32bit PE files
PE file contains sections with non-standard names
PE file contains an invalid checksum

Classification

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: ryxu0LoCH3.exeJoe Sandbox ML: detected
Source: ryxu0LoCH3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: ryxu0LoCH3.exeStatic PE information: Data appended to the last section found
Source: ryxu0LoCH3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: ryxu0LoCH3.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: sus22.winEXE@0/0@0/0
Source: ryxu0LoCH3.exeStatic PE information: section name: .lwox
Source: ryxu0LoCH3.exeStatic PE information: section name: .vvny
Source: ryxu0LoCH3.exeStatic PE information: section name: .vtbg
Source: ryxu0LoCH3.exeStatic PE information: section name: .qtxm
Source: ryxu0LoCH3.exeStatic PE information: real checksum: 0x15de8d should be: 0xfe268

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ryxu0LoCH3.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:490252
Start date:25.09.2021
Start time:10:12:14
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 14s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:ryxu0LoCH3.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:SUS
Classification:sus22.winEXE@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 23.211.6.115
  • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):2.0948410959489343
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ryxu0LoCH3.exe
File size:1040347
MD5:0ad6beff5dc6704a93dc36ea43dc739c
SHA1:b4536a89dbaa58deb5c5ef299d71982259521d91
SHA256:6b364b7c12a4e4d7f7275006be3adc70984086843f1cd013b2745ecbbb8fca00
SHA512:893b7c98a41dbdc97418702462bc539ecdc2b6fdbecc648adad213880ca19155ce24cd15115e681c0f3afc4f7c08645420a1467a7bc4c4ebf469d9a40dd72141
SSDEEP:3072:CORDINSkUIWnxw8CmtqvylJ10nkcvryr5dqT0NMdIp2uogBpUDZyL+UoPxwAnjac:Ti+qg0vryiT0NMd+2u/NLGb
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;a.....................p...D...F............@........................................................................

File Icon

Icon Hash:aca9a8acaca6a888

Static PE Info

General

Entrypoint:0x404612
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x613B8C85 [Fri Sep 10 16:49:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:15cdf6e35545e491e70d9cafb0fc7871

Entrypoint Preview

Instruction
push 00000000h
push ebp
mov ebp, esp
add esp, FFFFFFF8h
call 00007FA25CADB254h
cmp ebx, eax
je 00007FA25CAD6EBDh
pushad
add edi, ebx
inc ecx
add ecx, eax
push eax
push ecx
push 00000500h
lea eax, dword ptr [ebx+00430956h]
push eax
lea eax, dword ptr [ebx+00430F8Bh]
push eax
call dword ptr [ebx+0043401Ch]
push eax
pop dword ptr [ebp-08h]
push dword ptr [ebp-08h]
pop dword ptr [ebx+00430E1Ch]
lea eax, dword ptr [ebx+0043129Ah]
push eax
lea eax, dword ptr [ebx+004307D9h]
push eax
lea eax, dword ptr [ebx+004318F2h]
push eax
call dword ptr [ebx+0043401Ch]
mov dword ptr [ebp-04h], esi
sub esi, esi
or esi, eax
mov dword ptr [ebx+004316FAh], esi
mov esi, dword ptr [ebp-04h]
pop dword ptr [ebp-04h]
mov eax, dword ptr [ebp-04h]
push eax
call dword ptr [ebx+00434014h]
push eax
lea eax, dword ptr [ebx+00430352h]
push eax
lea eax, dword ptr [ebx+004312D6h]
push eax
call dword ptr [ebx+0043401Ch]
mov dword ptr [ebp-08h], ecx
and ecx, 00000000h
xor ecx, eax
and dword ptr [ebx+00430C80h], 00000000h
xor dword ptr [ebx+00430C80h], ecx
mov ecx, dword ptr [ebp-08h]
xor eax, eax
pop dword ptr [ebp-08h]
xor eax, dword ptr [ebp-08h]
push eax
lea eax, dword ptr [ebx+004317C5h]
push eax
lea eax, dword ptr [ebx+0043059Dh]
push eax
lea eax, dword ptr [ebx+00430D25h]
push eax
call dword ptr [ebx+00000000h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3402c0x3c.data
IMAGE_DIRECTORY_ENTRY_RESOURCE0x40330000x13c54.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2b80x30
IMAGE_DIRECTORY_ENTRY_IAT0x340000x2c.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2d0540x2d200False0.412883050554data6.07840510931IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x2f0000x10000x400False0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.data0x300000x400201c0x4400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x40330000x13c540x13e00False0.147270538522data4.78681021699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lwox0x40470000x450000x45000False0.00105086616848data0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.vvny0x408c0000x480000x48000False0.00104437934028data0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.vtbg0x40d40000x450000x45000False0.00109533354036data0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.qtxm0x41190000x450000x45000False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_CURSOR0x40333280x10acdata
RT_BITMAP0x40343d40x828dBase IV DBT, block length 2048, next free block index 40, next free block 2147450879, next used block 2147450879
RT_ICON0x4034bfc0x10828dBase III DBT, version number 0, next free block index 40
RT_MENU0x40454240x1b2data
RT_MENU0x40455d80x208data
RT_MENU0x40457e00xaedata
RT_DIALOG0x40458900x8dadata
RT_DIALOG0x404616c0x324data
RT_STRING0x40464900x60adata
RT_GROUP_CURSOR0x4046a9c0x14Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON0x4046ab00x16data
RT_MANIFEST0x4046ac80x18aXML 1.0 document, ASCII text

Imports

DLLImport
kernel32.dllGetProcAddress, LoadLibraryA, VirtualAlloc, VirtualProtect, GetCurrentThread, lstrlenA, lstrcatA, lstrcmpA
user32.dllCsrBroadcastSystemMessageExW

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 25, 2021 10:13:13.316452980 CEST6180553192.168.2.58.8.8.8
Sep 25, 2021 10:13:13.336033106 CEST53618058.8.8.8192.168.2.5

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >