Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report eLVD8YyLgN.exe

Overview

General Information

Sample Name:eLVD8YyLgN.exe
Analysis ID:528750
MD5:6518d0ae2e70133d19f94681d640590b
SHA1:3457dc0d31d8355b9395245b2f3a093c394b4e43
SHA256:c14c596d56885c5a21913cb8b33bef299ab564fd81fe05836ceb4f7192a1c0d7
Tags:exe

Most interesting Screenshot:

Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file overlay found
Uses 32bit PE files
PE file does not import any functions
PE file contains an invalid checksum

Classification

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: eLVD8YyLgN.exeVirustotal: Detection: 12%Perma Link
Machine Learning detection for sampleShow sources
Source: eLVD8YyLgN.exeJoe Sandbox ML: detected
Source: eLVD8YyLgN.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: eLVD8YyLgN.exeString found in binary or memory: http://www.home.r-hs.de/philippinen/antivirus/sig/signature.db0This
Source: eLVD8YyLgN.exeString found in binary or memory: http://www.planet-source-code.com/vb/scripts/voting/VoteOnCodeRating.asp?lngWId=1&txtCodeId=51592&op
Source: eLVD8YyLgN.exeStatic PE information: Data appended to the last section found
Source: eLVD8YyLgN.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: eLVD8YyLgN.exeStatic PE information: No import functions for PE file found
Source: eLVD8YyLgN.exeVirustotal: Detection: 12%
Source: eLVD8YyLgN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal52.winEXE@0/0@0/0
Source: eLVD8YyLgN.exeBinary or memory string: pEV$@pE*\AC:\Users\ivand\Desktop\posleden private\AntiVirus.vbp,
Source: eLVD8YyLgN.exeStatic PE information: real checksum: 0x6435e should be: 0x405a4

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
eLVD8YyLgN.exe12%VirustotalBrowse
eLVD8YyLgN.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.home.r-hs.de/philippinen/antivirus/sig/signature.db0This0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.home.r-hs.de/philippinen/antivirus/sig/signature.db0ThiseLVD8YyLgN.exefalse
  • Avira URL Cloud: safe
unknown
http://www.planet-source-code.com/vb/scripts/voting/VoteOnCodeRating.asp?lngWId=1&txtCodeId=51592&opeLVD8YyLgN.exefalse
    		high

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:528750
    Start date:25.11.2021
    Start time:18:30:23
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 2m 2s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:eLVD8YyLgN.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal52.winEXE@0/0@0/0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Unable to launch sample, stop analysis
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
    • Excluded IPs from analysis (whitelisted): 92.122.145.220
    • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
    Errors:
    • No process behavior to analyse as no analysis process or sample was found
    • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.4133402742573375
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:eLVD8YyLgN.exe
    File size:235257
    MD5:6518d0ae2e70133d19f94681d640590b
    SHA1:3457dc0d31d8355b9395245b2f3a093c394b4e43
    SHA256:c14c596d56885c5a21913cb8b33bef299ab564fd81fe05836ceb4f7192a1c0d7
    SHA512:c240e656d5fb4d059903b9b8e92dcb286eb9e271b423f1190272fdb9c96bcefdeea80c5c5047baab37ca571675b7f4f3e2e45f41347a66cdf5f9554deb6c910a
    SSDEEP:1536:8RWdX8T3mkA1mMB0hECRFaCfCd7NFOb0Fz87yjyZvd+TzeMGQtb6XMuZXKMRm4Sc:8RWp8ClYECRFaXd7NAAFz1ysGso
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b...b...b.......c.......B.......c...Richb...................PE..L......a.................`...........(.......p....@........

    File Icon

    Icon Hash:00828e8e8686b000

    Static PE Info

    General

    Entrypoint:0x4028a0
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x619805F0 [Fri Nov 19 20:15:44 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:

    Entrypoint Preview

    Instruction
    push 0040A8B4h
    call 00007FCAE08C8005h
    add byte ptr [eax], al
    dec eax
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax+00h], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    lodsb
    mov byte ptr [9CDACE94h], al
    scasb
    inc esi
    and byte ptr [edi+04h], 0000005Fh
    sbb al, 75h
    out dx, eax
    jne 00007FCAE08C8012h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax+43056F7Dh], bl
    inc ebx
    inc ecx
    outsb
    je 00007FCAE08C807Bh
    jbe 00007FCAE08C807Bh
    jc 00007FCAE08C8044h
    xor byte ptr [eax], dh
    xor al, 00h
    inc eax
    add byte ptr [eax], al
    rol byte ptr [eax+00h], FFFFFFCCh
    jnl 00007FCAE08C8081h
    add eax, 00000000h
    nop
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx], al
    add byte ptr [eax], al
    add byte ptr [eax+eax], cl
    add byte ptr [eax], al
    hlt
    test al, 48h
    xor edx, dword ptr [esi+4Fh]
    mov bl, 4Ah
    xchg eax, esp
    jns 00007FCAE08C8085h
    in eax, dx
    mov edi, edi
    mov ecx, 00000141h
    add byte ptr [eax-50000000h], ah
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax+01056E91h], ah
    and byte ptr [eax+00h], al
    or cl, al
    add byte ptr [eax], al
    fadd st(0), st(0)
    inc eax
    add byte ptr [esi+edi*2], dl
    outsd
    add eax, 676F7250h
    jc 00007FCAE08C8077h
    jnc 00007FCAE08C8085h
    inc edx
    popad
    jc 00007FCAE08C8012h
    add eax, dword ptr [eax]
    add byte ptr [eax], al
    jmp 00007FCABEED7EADh
    movsd
    test al, 4Dh
    mov al, byte ptr [4AA4705Dh]
    cdq
    and al, 36h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x55e140x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x6424.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x2e4.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x55a380x56000False0.323925748721data4.43879142147IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x570000x614c0x1000False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x5e0000x64240x7000False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    System Behavior

    Disassembly

    Reset < >