Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AIO.exe

Overview

General Information

Sample Name:AIO.exe
Analysis ID:708236
MD5:9c1181704c48d62de14c5f682c4f5d5e
SHA1:ada9921624f3225054745643b0d4504939efd1aa
SHA256:44ea8ae385d7d95d4f0b9c6969c0d0ca55acfd996e97236c0ae04eb2b4b2d623
Tags:droppedexemorpheus
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains more sections than normal
Potential time zone aware malware
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names

Classification

Process Tree

  • System is w10x64
  • AIO.exe (PID: 4572 cmdline: "C:\Users\user\Desktop\AIO.exe" MD5: 9C1181704C48D62DE14C5F682C4F5D5E)
    • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: AIO.exeVirustotal: Detection: 7%Perma Link
Source: AIO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: global trafficTCP traffic: 192.168.2.5:49697 -> 185.25.204.244:9090
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: AIO.exeBinary or memory string: github.com/gonutz/w32/v2.getRawInputData
Source: AIO.exeStatic PE information: Number of sections : 14 > 10
Source: AIO.exeStatic PE information: Section: /19 ZLIB complexity 0.9970344753440367
Source: AIO.exeStatic PE information: Section: /32 ZLIB complexity 0.9973810369318182
Source: AIO.exeStatic PE information: Section: /65 ZLIB complexity 0.9984575565403423
Source: AIO.exeVirustotal: Detection: 7%
Source: AIO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AIO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: AIO.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: classification engineClassification label: mal48.winEXE@2/0@0/1
Source: unknownProcess created: C:\Users\user\Desktop\AIO.exe "C:\Users\user\Desktop\AIO.exe"
Source: C:\Users\user\Desktop\AIO.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
Source: AIO.exeStatic file information: File size 4077056 > 1048576
Source: AIO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: AIO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ea00
Source: AIO.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x131a00
Source: AIO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AIO.exeStatic PE information: section name: /4
Source: AIO.exeStatic PE information: section name: /19
Source: AIO.exeStatic PE information: section name: /32
Source: AIO.exeStatic PE information: section name: /46
Source: AIO.exeStatic PE information: section name: /65
Source: AIO.exeStatic PE information: section name: /78
Source: AIO.exeStatic PE information: section name: /90
Source: AIO.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\AIO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AIO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AIO.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AIO.exe, 00000000.00000002.309927572.000002228A628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllooJ
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter		Path Interception1
Process Injection		1
Software Packing		11
Input Capture		1