Loading ...

Play interactive tourEdit tour

Windows Analysis Report JZ3FrTU0tJ.exe

Overview

General Information

Sample Name:JZ3FrTU0tJ.exe
Analysis ID:528760
MD5:57c919f3cc2729eef0f8cbf72aa712a9
SHA1:28c18e298d8a579db4cbfa459c35bdde29de58ac
SHA256:b6de619c9469226aef6d9af08b03d51e7d200d53a9acffc6adcd975e0d48e3d9
Tags:exe

Most interesting Screenshot:

Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
PE file has nameless sections
PE file contains section with special chars
PE file does not import any functions
PE file overlay found
PE file contains sections with non-standard names
Binary contains a suspicious time stamp

Classification

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: JZ3FrTU0tJ.exeVirustotal: Detection: 20%Perma Link
Machine Learning detection for sampleShow sources
Source: JZ3FrTU0tJ.exeJoe Sandbox ML: detected
Source: JZ3FrTU0tJ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

System Summary:

barindex
PE file has nameless sectionsShow sources
Source: JZ3FrTU0tJ.exeStatic PE information: section name:
PE file contains section with special charsShow sources
Source: JZ3FrTU0tJ.exeStatic PE information: section name: [`MOak
Source: JZ3FrTU0tJ.exeStatic PE information: No import functions for PE file found
Source: JZ3FrTU0tJ.exeStatic PE information: Data appended to the last section found
Source: JZ3FrTU0tJ.exeStatic PE information: Section: [`MOak ZLIB complexity 1.00044157609
Source: JZ3FrTU0tJ.exeVirustotal: Detection: 20%
Source: classification engineClassification label: mal60.winEXE@0/0@0/0
Source: JZ3FrTU0tJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: JZ3FrTU0tJ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: JZ3FrTU0tJ.exeStatic PE information: section name: [`MOak
Source: JZ3FrTU0tJ.exeStatic PE information: section name:
Source: JZ3FrTU0tJ.exeStatic PE information: 0xD261EA71 [Thu Nov 6 05:26:09 2081 UTC]
Source: initial sampleStatic PE information: section name: [`MOak entropy: 7.99738998665

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionSoftware Packing2OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsTimestomp1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
JZ3FrTU0tJ.exe20%VirustotalBrowse
JZ3FrTU0tJ.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:528760
Start date:25.11.2021
Start time:18:39:01
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:JZ3FrTU0tJ.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.winEXE@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe
  • Excluded IPs from analysis (whitelisted): 92.122.145.220
  • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
Errors:
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):6.062703864995128
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
  • Win32 Executable (generic) a (10002005/4) 49.96%
  • Win16/32 Executable Delphi generic (2074/23) 0.01%
  • Generic Win/DOS Executable (2004/3) 0.01%
  • DOS Executable Generic (2002/1) 0.01%
File name:JZ3FrTU0tJ.exe
File size:183635
MD5:57c919f3cc2729eef0f8cbf72aa712a9
SHA1:28c18e298d8a579db4cbfa459c35bdde29de58ac
SHA256:b6de619c9469226aef6d9af08b03d51e7d200d53a9acffc6adcd975e0d48e3d9
SHA512:92833ac52b646cb0c79f1e87e5e54996a446f46442bcffd321857fc8190374d57acc74e25a53d2371be0ae2af349980182fa785b5e930003aa95e22398df1468
SSDEEP:3072:yVaok+snqUvu3m7xAddxcrmGHlrNHjEaIqIU+onEksKSm20DMxQQtYscKgoN60eZ:yVa3+sqU4/Kx6aPIU+onEksKSm20DMxG
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.a..........."...0.............. ... ... ....@.. .......................`............`................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x44200a
Entrypoint Section:
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0xD261EA71 [Thu Nov 6 05:26:09 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:v4.0.30319
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x12cdc0x4f.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x5d6.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x440000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x420000x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x120000x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
[`MOak0x20000xe5640xe600False1.00044157609data7.99738998665IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.text0x120000x2c9080x2ca00False0.29661927892data4.34882960737IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0x400000x5d60x600False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x420000x100x200False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc0x440000xc0x200False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly

Reset < >