Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ciao

Overview

General Information

Sample Name:ciao (renamed file extension from none to exe)
Analysis ID:586535
MD5:2950930fd9685a9a7d26c965c529b60f
SHA1:9ce522284f4ed862d0815968c91451f074b85e81
SHA256:484573512eb4bf8cbfd85c4b209bc12bfc17cd873d733cfc4b49ce13914b9443
Infos:

Detection

Dridex CryptOne
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected Dridex e-Banking trojan
Yara detected CryptOne packer
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain checking for process token information
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to query network adapater information
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • ciao.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\ciao.exe" MD5: 2950930FD9685A9A7D26C965C529B60F)
  • cleanup
{"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_CryptYara detected CryptOne packerJoe Security
    00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        SourceRuleDescriptionAuthorStrings
        0.2.ciao.exe.2240000.1.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          0.2.ciao.exe.400000.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            0.2.ciao.exe.2240000.1.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              0.2.ciao.exe.400000.0.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                No Sigma rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: ciao.exeAvira: detected
                Source: 0.2.ciao.exe.2240000.1.raw.unpackMalware Configuration Extractor: Dridex {"Version": 10111, "C2 list": ["172.104.87.236:1512", "111.230.104.169:3388", "103.199.16.245:1512", "123.206.58.135:8172"], "RC4 keys": ["b58Q3DBSSKBc6NV2yyV3b42Fe6ojFZI8N0WEB", "v6jcviKqGv6lx4uz0Uk6jZvCxPAlfkVHiJTrTCXnmNdXSzxXzMkdiXrFRnzJTUZjrSf1W"]}
                Source: ciao.exeMetadefender: Detection: 32%Perma Link
                Source: ciao.exeReversingLabs: Detection: 92%
                Source: ciao.exeJoe Sandbox ML: detected

                Compliance

                barindex
                Source: C:\Users\user\Desktop\ciao.exeUnpacked PE file: 0.2.ciao.exe.400000.0.unpack
                Source: ciao.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042CEF8 FindFirstFileExW,

                Networking

                barindex
                Source: Malware configuration extractorIPs: 172.104.87.236:1512
                Source: Malware configuration extractorIPs: 111.230.104.169:3388
                Source: Malware configuration extractorIPs: 103.199.16.245:1512
                Source: Malware configuration extractorIPs: 123.206.58.135:8172
                Source: global trafficTCP traffic: 192.168.2.5:49780 -> 111.230.104.169:3388
                Source: global trafficTCP traffic: 192.168.2.5:49789 -> 103.199.16.245:1512
                Source: global trafficTCP traffic: 192.168.2.5:49793 -> 123.206.58.135:8172
                Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 123.206.58.135
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 172.104.87.236
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 111.230.104.169
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: unknownTCP traffic detected without corresponding DNS query: 103.199.16.245
                Source: ciao.exe, 00000000.00000002.694824738.000000000009D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://123.206.58.135:8172/h
                Source: unknownDNS traffic detected: queries for: store-images.s-microsoft.com

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 0.2.ciao.exe.2240000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.2240000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ciao.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00405150 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,
                Source: ciao.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: ciao.exe, 00000000.00000002.695111803.0000000000473000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePSFTP: vs ciao.exe
                Source: ciao.exeBinary or memory string: OriginalFilenamePSFTP: vs ciao.exe
                Source: ciao.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ciao.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00405150
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004167C8
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00421020
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041D030
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004188C0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00418CC0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0040ACD0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041A0D0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004198DA
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041E0A0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042DCA0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004250A0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00424CA0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00425CB0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00417564
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00401570
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041FDD0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004289F0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004271F0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041D980
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042D180
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041C590
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0040F9A0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00421240
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041A660
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00427660
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00422E60
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00409E70
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00419E70
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0040CA10
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042FA10
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00420220
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042D620
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00423EC0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042FA10
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00406AD0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004196D0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041F6E0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041B6F0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00418EF0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004262F0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041AE80
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00418AB0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00421EB0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004226B0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041BF50
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00415B60
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00423B00
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00429B10
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00421730
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004183C0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00417FC0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00427FC0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0041E3F0
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_004122A0 NtDelayExecution,
                Source: ciao.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: ciao.exeMetadefender: Detection: 32%
                Source: ciao.exeReversingLabs: Detection: 92%
                Source: ciao.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\ciao.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\ciao.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@1/0@1/4

                Data Obfuscation

                barindex
                Source: C:\Users\user\Desktop\ciao.exeUnpacked PE file: 0.2.ciao.exe.400000.0.unpack .text:ER;.rdata:R;.text3:R;.text2:R;.data:W;.data3:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
                Source: C:\Users\user\Desktop\ciao.exeUnpacked PE file: 0.2.ciao.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0044449F push ecx; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00444254 push ecx; retf
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0222BBC0 push edx; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_022162ED pushad ; iretd
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_021F7192 push dword ptr [ebp+ecx*8-49h]; retf
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0220F6ED push esi; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0221FB94 push esi; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_021F89BD push 00000369h; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_021F89ED push 00000369h; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_021F0EAF push esi; ret
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_021F1D31 push FFFFFFD5h; ret
                Source: ciao.exeStatic PE information: section name: .text3
                Source: ciao.exeStatic PE information: section name: .text2
                Source: ciao.exeStatic PE information: section name: .data3
                Source: initial sampleStatic PE information: section name: .text entropy: 7.42644876953
                Source: C:\Users\user\Desktop\ciao.exeWindow / User API: foregroundWindowGot 1776
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -156000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -135000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -125000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -330000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -122000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exe TID: 7044Thread sleep time: -143000s >= -30000s
                Source: C:\Users\user\Desktop\ciao.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Users\user\Desktop\ciao.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\ciao.exeCode function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,LoadLibraryW,
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_022088FD rdtsc
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00413930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_0042CEF8 FindFirstFileExW,
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_022088FD rdtsc
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00416C50 KiUserExceptionDispatcher,LdrLoadDll,
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00417A60 RtlAddVectoredExceptionHandler,
                Source: C:\Users\user\Desktop\ciao.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                Source: C:\Users\user\Desktop\ciao.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\Desktop\ciao.exeCode function: 0_2_00412980 GetUserNameW,

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Native API
                Path InterceptionPath Interception1
                Virtualization/Sandbox Evasion
                OS Credential Dumping1
                Security Software Discovery
                Remote Services1
                Archive Collected Data
                Exfiltration Over Other Network Medium1
                Encrypted Channel
                Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
                Obfuscated Files or Information
                LSASS Memory1
                Virtualization/Sandbox Evasion
                Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Non-Standard Port
                Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)22
                Software Packing
                Security Account Manager1
                Application Window Discovery
                SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Non-Application Layer Protocol
                Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
                Account Discovery
                Distributed Component Object ModelInput CaptureScheduled Transfer11
                Application Layer Protocol
                SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                System Owner/User Discovery
                SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                System Network Configuration Discovery
                VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                System Information Discovery
                Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                ciao.exe32%MetadefenderBrowse
                ciao.exe93%ReversingLabsWin32.Infostealer.Dridex
                ciao.exe100%AviraHEUR/AGEN.1219116
                ciao.exe100%Joe Sandbox ML
                No Antivirus matches
                SourceDetectionScannerLabelLinkDownload
                0.0.ciao.exe.400000.0.unpack100%AviraHEUR/AGEN.1219116Download File
                0.2.ciao.exe.400000.0.unpack100%AviraHEUR/AGEN.1234144Download File
                No Antivirus matches
                SourceDetectionScannerLabelLink
                https://123.206.58.135:8172/h0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                store-images.s-microsoft.com
                unknown
                unknownfalse
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  https://123.206.58.135:8172/hciao.exe, 00000000.00000002.694824738.000000000009D000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  123.206.58.135
                  unknownChina
                  45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompatrue
                  103.199.16.245
                  unknownViet Nam
                  63734GREENCLOUDVPS-AS-VN365Onlinetechnologyjointstockcompantrue
                  111.230.104.169
                  unknownChina
                  45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompatrue
                  172.104.87.236
                  unknownUnited States
                  63949LINODE-APLinodeLLCUStrue
                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:586535
                  Start date:10.03.2022
                  Start time:10:51:19
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 7m 18s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:ciao (renamed file extension from none to exe)
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:13
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.bank.troj.evad.winEXE@1/0@1/4
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 3.9% (good quality ratio 3.9%)
                  • Quality average: 78.9%
                  • Quality standard deviation: 16%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 23.211.5.146, 23.211.6.115
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e16646.dscg.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, storeedgefd.xbetservices.akadns.net, storeedgefd.dsx.mp.microsoft.com
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: ciao.exe
                  TimeTypeDescription
                  10:52:57API Interceptor7x Sleep call for process: ciao.exe modified
                  No context
                  No context
                  No context
                  No context
                  No context
                  No created / dropped files found
                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.108652688508333
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • VXD Driver (31/22) 0.00%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:ciao.exe
                  File size:466432
                  MD5:2950930fd9685a9a7d26c965c529b60f
                  SHA1:9ce522284f4ed862d0815968c91451f074b85e81
                  SHA256:484573512eb4bf8cbfd85c4b209bc12bfc17cd873d733cfc4b49ce13914b9443
                  SHA512:fc69da1dfef82ea8d74811a5296e24ccc11eedf98421d44eefcf9e89132642befdfc6d06c43a8a98bcbab9b83c9557b1570f6ee89c58f525a9840c648e828f27
                  SSDEEP:6144:we9ZfcAcig3SuEE/UPTYkkK795PuBSciRzWpIOiM35e9ZOe9ZDe9Z:bEfh3SW/Uc5K73PuBMR37p6
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=a._...............2.....t.......T.......p....@..........................P.............................................
                  Icon Hash:c092d090bc0d990b
                  Entrypoint:0x4454e0
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x5FD2613D [Thu Dec 10 17:56:13 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:eba97c0a4b1876634a464e9c065450fb
                  Instruction
                  push ebp
                  mov ebp, esp
                  sub esp, 4Ch
                  mov dword ptr [ebp-04h], 00000000h
                  push 0046D354h
                  call dword ptr [0046D680h]
                  mov dword ptr [0046DC60h], 00000000h
                  jmp 00007FDBDC71609Fh
                  mov eax, dword ptr [0046DC60h]
                  add eax, 01h
                  mov dword ptr [0046DC60h], eax
                  cmp dword ptr [0046DC60h], 0000107Fh
                  jnc 00007FDBDC71609Ah
                  call dword ptr [0046D670h]
                  jmp 00007FDBDC716071h
                  push 0046D36Ch
                  call dword ptr [0046D684h]
                  call dword ptr [0046D578h]
                  cmp eax, 02h
                  je 00007FDBDC716099h
                  xor eax, eax
                  jmp 00007FDBDC716F82h
                  call 00007FDBDC715FFEh
                  cmp dword ptr [ebp-04h], 00000000h
                  je 00007FDBDC7160A4h
                  push 0000231Eh
                  push 0000231Eh
                  call 00007FDBDC715F19h
                  add esp, 08h
                  cmp dword ptr [ebp-04h], 00000000h
                  je 00007FDBDC7160A4h
                  push 0000231Eh
                  push 0000231Eh
                  call 00007FDBDC715F01h
                  add esp, 08h
                  cmp dword ptr [ebp-04h], 00000000h
                  je 00007FDBDC7160A4h
                  push 0000231Eh
                  push 0000231Eh
                  call 00007FDBDC715EE9h
                  add esp, 08h
                  mov dword ptr [0046DC60h], 00000000h
                  jmp 00007FDBDC7160A1h
                  mov ecx, dword ptr [0046DC60h]
                  add ecx, 01h
                  mov dword ptr [0000DC60h], ecx
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6d3a40x78.data
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x730000x14c8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x6d5640x148.data
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x454f70x45600False0.843774634009data7.42644876953IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x470000x1c20x200False0.5859375data4.23847909032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .text30x480000x1adb00x1ae00False0.0012082122093data0.00862531644872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .text20x630000x4e200x5000False0.59052734375data5.00603909334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x680000x5cc00x5e00False0.580119680851data5.33430480294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .data30x6e0000x4e200x5000False0.59052734375data5.00603909334IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x730000x14c80x1600False0.25390625data2.95023024978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x731d80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                  RT_ICON0x733000x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 202099788, next used block 35015EnglishUnited States
                  RT_ICON0x735e80x668dataEnglishUnited States
                  RT_ICON0x73c500xb0GLS_BINARY_LSB_FIRSTEnglishUnited States
                  RT_ICON0x73d000x130dataEnglishUnited States
                  RT_ICON0x73e300x330dataEnglishUnited States
                  RT_GROUP_ICON0x741600x5adataEnglishUnited States
                  RT_VERSION0x741bc0x30cdataEnglishUnited States
                  DLLImport
                  KERNEL32.dllGetCurrentProcessId, Sleep, GetTickCount, CloseHandle, OpenMutexW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetProcAddress, GetModuleFileNameW, GetCurrentThreadId, WriteFile, SetFilePointer, GetCurrentProcess, CreateMutexW, ReleaseMutex, TerminateProcess, InterlockedDecrement, GetModuleHandleW, LoadLibraryA, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, InterlockedIncrement, WideCharToMultiByte, InterlockedExchange, MultiByteToWideChar, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, LCMapStringA, LCMapStringW, GetCPInfo, GetStringTypeW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, ExitProcess, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, LocalAlloc, QueryPerformanceCounter, FormatMessageA, LocalFree, SetConsoleCtrlHandler, SetThreadUILanguage, GetModuleHandleA, VirtualAlloc
                  USER32.dllLoadCursorA, GetForegroundWindow
                  GDI32.dllGetEnhMetaFileA, RealizePalette, AddFontResourceW, GetEnhMetaFileW, StrokePath, SwapBuffers, GetEnhMetaFileBits, GetStockObject
                  ADVAPI32.dllRegOpenKeyW
                  IMM32.dllImmDisableIME
                  DescriptionData
                  LegalCopyrightCopyright 1997-2017 Simon Tatham.
                  InternalNamePSFTP
                  FileVersionRelease 0.68
                  CompanyNameSimon Tatham
                  ProductNamePuTTY suite
                  ProductVersionRelease 0.68
                  FileDescriptionCommand-line interactive SFTP client
                  OriginalFilenamePSFTP
                  Translation0x0809 0x04b0
                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 10, 2022 10:52:56.089411974 CET497741512192.168.2.5172.104.87.236
                  Mar 10, 2022 10:52:56.343377113 CET151249774172.104.87.236192.168.2.5
                  Mar 10, 2022 10:52:56.931067944 CET497741512192.168.2.5172.104.87.236
                  Mar 10, 2022 10:52:57.185810089 CET151249774172.104.87.236192.168.2.5
                  Mar 10, 2022 10:52:57.821815968 CET497741512192.168.2.5172.104.87.236
                  Mar 10, 2022 10:52:58.075697899 CET151249774172.104.87.236192.168.2.5
                  Mar 10, 2022 10:52:58.217005014 CET497803388192.168.2.5111.230.104.169
                  Mar 10, 2022 10:53:01.368940115 CET497803388192.168.2.5111.230.104.169
                  Mar 10, 2022 10:53:07.369541883 CET497803388192.168.2.5111.230.104.169
                  Mar 10, 2022 10:53:19.499452114 CET497891512192.168.2.5103.199.16.245
                  Mar 10, 2022 10:53:19.741199970 CET151249789103.199.16.245192.168.2.5
                  Mar 10, 2022 10:53:20.370549917 CET497891512192.168.2.5103.199.16.245
                  Mar 10, 2022 10:53:26.386729956 CET497891512192.168.2.5103.199.16.245
                  Mar 10, 2022 10:53:38.523582935 CET497938172192.168.2.5123.206.58.135
                  Mar 10, 2022 10:53:41.522963047 CET497938172192.168.2.5123.206.58.135
                  Mar 10, 2022 10:53:47.523423910 CET497938172192.168.2.5123.206.58.135
                  Mar 10, 2022 10:53:59.642584085 CET497951512192.168.2.5172.104.87.236
                  Mar 10, 2022 10:53:59.909619093 CET151249795172.104.87.236192.168.2.5
                  Mar 10, 2022 10:54:00.415230989 CET497951512192.168.2.5172.104.87.236
                  Mar 10, 2022 10:54:00.682101965 CET151249795172.104.87.236192.168.2.5
                  Mar 10, 2022 10:54:01.196469069 CET497951512192.168.2.5172.104.87.236
                  Mar 10, 2022 10:54:01.463325024 CET151249795172.104.87.236192.168.2.5
                  Mar 10, 2022 10:54:01.581051111 CET497963388192.168.2.5111.230.104.169
                  Mar 10, 2022 10:54:04.587357998 CET497963388192.168.2.5111.230.104.169
                  Mar 10, 2022 10:54:10.666049004 CET497963388192.168.2.5111.230.104.169
                  Mar 10, 2022 10:54:22.799479961 CET497981512192.168.2.5103.199.16.245
                  Mar 10, 2022 10:54:23.012582064 CET151249798103.199.16.245192.168.2.5
                  Mar 10, 2022 10:54:23.526457071 CET497981512192.168.2.5103.199.16.245
                  Mar 10, 2022 10:54:23.739654064 CET151249798103.199.16.245192.168.2.5
                  Mar 10, 2022 10:54:24.245239019 CET497981512192.168.2.5103.199.16.245
                  TimestampSource PortDest PortSource IPDest IP
                  Mar 10, 2022 10:52:25.026051998 CET5432253192.168.2.58.8.8.8
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Mar 10, 2022 10:52:25.026051998 CET192.168.2.58.8.8.80x26f6Standard query (0)store-images.s-microsoft.comA (IP address)IN (0x0001)
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Mar 10, 2022 10:52:25.047528982 CET8.8.8.8192.168.2.50x26f6No error (0)store-images.s-microsoft.comstore-images.s-microsoft.com-c.edgekey.netCNAME (Canonical name)IN (0x0001)
                  No statistics
                  Target ID:0
                  Start time:10:52:31
                  Start date:10/03/2022
                  Path:C:\Users\user\Desktop\ciao.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\ciao.exe"
                  Imagebase:0x400000
                  File size:466432 bytes
                  MD5 hash:2950930FD9685A9A7D26C965C529B60F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000000.00000002.695331937.00000000021F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.695387453.0000000002240000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.694841619.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low

                  No disassembly