Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67120
Start time:12:20:35
Joe Sandbox Product:CloudBasic
Start date:07.07.2018
Overall analysis duration:0h 1m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:amtlib.dll
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:UNKNOWN
Classification:unknown1.winDLL@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .dll
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample

Detection

StrategyScoreRangeReportingDetection
Threshold10 - 100Report FP / FNunknown

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: amtlib.dllStatic PE information: section name: .pr0
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .pr0 entropy: 7.48368534214

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: unknown1.winDLL@0/0@0/0
PE file has a high image base, often used for DLLsShow sources
Source: amtlib.dllStatic PE information: Image base 0x180000000 > 0x60000000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: amtlib.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Anti Debugging:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
amtlib.dll2%virustotalBrowse
amtlib.dll0%metadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

windows-stand

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):7.023062433068291
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 94.87%
  • Generic Win/DOS Executable (2004/3) 1.86%
  • DOS Executable Generic (2002/1) 1.86%
  • Java Script embedded in Visual Basic Script (1500/0) 1.40%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:amtlib.dll
File size:70144
MD5:b773cee8aae74e5eb7e0dd3ada08a21e
SHA1:72257f20edc89ad9dbd4da2b8ff5ce5557701ea6
SHA256:5c4606e5734ce62ae45228641a6a4a49491f1b70d6c7da8c0335cb7b11862841
SHA512:805acd61fb17285f4e0f6cf6a948b1ec174e1b793a8c751aa62b152ceb946d2f2daf98e7ea269a9e6db6482c776b84c57dabd0ff9fd7179c65fa1c7d6de5c5b2
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p3X..]...]...].(.....]...\...].@.....].@.....]..C....].......].@.....].Rich..].........PE..d....*.X.........." .....(...:.....

File Icon

Static PE Info

General

Entrypoint:0x180003620
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:0x58092A05 [Thu Oct 20 20:33:09 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:5f931ee6022f63a8566f4e48ef1231f0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
cmp edx, 01h
jne 00007F81E6508727h
call 00007F81E65073E7h
mov eax, 00000001h
dec eax
add esp, 28h
ret
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x49e00x397.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x4d780x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x521.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x80000x2a0.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x150000xd0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x40000xd8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x26380x2800False0.5603515625data6.16692501237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x40000x10aa0x1200False0.449869791667data4.75961199042IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x60000x1bb80x1400False0.323828125data4.05188718888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata0x80000x2a00x400False0.3671875data2.93608835693IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pr00x90000xb2c10xb400False0.860503472222data7.48368534214IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc0x150000xd00x200False0.41015625