Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AIO.exe

Overview

General Information

Sample Name:AIO.exe
Analysis ID:708236
MD5:9c1181704c48d62de14c5f682c4f5d5e
SHA1:ada9921624f3225054745643b0d4504939efd1aa
SHA256:44ea8ae385d7d95d4f0b9c6969c0d0ca55acfd996e97236c0ae04eb2b4b2d623
Tags:droppedexemorpheus
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains more sections than normal
Potential time zone aware malware
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names

Classification

  • System is w10x64
  • AIO.exe (PID: 4572 cmdline: "C:\Users\user\Desktop\AIO.exe" MD5: 9C1181704C48D62DE14C5F682C4F5D5E)
    • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: AIO.exeVirustotal: Detection: 7%Perma Link
Source: AIO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: global trafficTCP traffic: 192.168.2.5:49697 -> 185.25.204.244:9090
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: AIO.exeBinary or memory string: github.com/gonutz/w32/v2.getRawInputData
Source: AIO.exeStatic PE information: Number of sections : 14 > 10
Source: AIO.exeStatic PE information: Section: /19 ZLIB complexity 0.9970344753440367
Source: AIO.exeStatic PE information: Section: /32 ZLIB complexity 0.9973810369318182
Source: AIO.exeStatic PE information: Section: /65 ZLIB complexity 0.9984575565403423
Source: AIO.exeVirustotal: Detection: 7%
Source: AIO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AIO.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: AIO.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: classification engineClassification label: mal48.winEXE@2/0@0/1
Source: unknownProcess created: C:\Users\user\Desktop\AIO.exe "C:\Users\user\Desktop\AIO.exe"
Source: C:\Users\user\Desktop\AIO.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_01
Source: AIO.exeStatic file information: File size 4077056 > 1048576
Source: AIO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: AIO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12ea00
Source: AIO.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x131a00
Source: AIO.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: AIO.exeStatic PE information: section name: /4
Source: AIO.exeStatic PE information: section name: /19
Source: AIO.exeStatic PE information: section name: /32
Source: AIO.exeStatic PE information: section name: /46
Source: AIO.exeStatic PE information: section name: /65
Source: AIO.exeStatic PE information: section name: /78
Source: AIO.exeStatic PE information: section name: /90
Source: AIO.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\AIO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\AIO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AIO.exeSystem information queried: CurrentTimeZoneInformation
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: AIO.exe, 00000000.00000002.309927572.000002228A628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllooJ
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
Path Interception1
Process Injection
1
Software Packing
11
Input Capture
1
System Time Discovery
Remote Services11
Input Capture
Exfiltration Over Other Network Medium1
Non-Standard Port
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped