Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qOiBFeRq7X.exe

Overview

General Information

Sample Name:qOiBFeRq7X.exe
Analysis ID:708237
MD5:e350cbab3b64e8f7e523619721392d21
SHA1:719c508f86b5e0a5c97d90dfad8aa30ca5f344f9
SHA256:b25478bd070ab292272094d6a9793a0e7eba11340b2693258eccd6876196c5e3
Tags:185-25-204-244ServereasySrlexeMorpheus
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
PE file contains more sections than normal
Potential time zone aware malware
Installs a raw input device (often for capturing keystrokes)
Program does not show much activity (idle)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names

Classification

  • System is w10x64
  • qOiBFeRq7X.exe (PID: 2512 cmdline: "C:\Users\user\Desktop\qOiBFeRq7X.exe" MD5: E350CBAB3B64E8F7E523619721392D21)
    • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: qOiBFeRq7X.exeVirustotal: Detection: 7%Perma Link
Source: qOiBFeRq7X.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: global trafficTCP traffic: 192.168.2.6:49708 -> 185.25.204.244:9090
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: unknownTCP traffic detected without corresponding DNS query: 185.25.204.244
Source: qOiBFeRq7X.exeBinary or memory string: github.com/gonutz/w32/v2.getRawInputData
Source: qOiBFeRq7X.exeStatic PE information: Number of sections : 14 > 10
Source: qOiBFeRq7X.exeStatic PE information: Section: /19 ZLIB complexity 0.9957361985125858
Source: qOiBFeRq7X.exeStatic PE information: Section: /32 ZLIB complexity 0.9980690696022727
Source: qOiBFeRq7X.exeStatic PE information: Section: /65 ZLIB complexity 0.9984093597374848
Source: qOiBFeRq7X.exeVirustotal: Detection: 7%
Source: qOiBFeRq7X.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\qOiBFeRq7X.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: qOiBFeRq7X.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: classification engineClassification label: mal48.winEXE@2/0@0/1
Source: unknownProcess created: C:\Users\user\Desktop\qOiBFeRq7X.exe "C:\Users\user\Desktop\qOiBFeRq7X.exe"
Source: C:\Users\user\Desktop\qOiBFeRq7X.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
Source: qOiBFeRq7X.exeStatic file information: File size 4145664 > 1048576
Source: qOiBFeRq7X.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: qOiBFeRq7X.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12f400
Source: qOiBFeRq7X.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x132600
Source: qOiBFeRq7X.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: qOiBFeRq7X.exeStatic PE information: section name: /4
Source: qOiBFeRq7X.exeStatic PE information: section name: /19
Source: qOiBFeRq7X.exeStatic PE information: section name: /32
Source: qOiBFeRq7X.exeStatic PE information: section name: /46
Source: qOiBFeRq7X.exeStatic PE information: section name: /65
Source: qOiBFeRq7X.exeStatic PE information: section name: /78
Source: qOiBFeRq7X.exeStatic PE information: section name: /90
Source: qOiBFeRq7X.exeStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\qOiBFeRq7X.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Desktop\qOiBFeRq7X.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\qOiBFeRq7X.exeSystem information queried: CurrentTimeZoneInformation
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: qOiBFeRq7X.exe, 00000000.00000002.259002698.000002D0DA2D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG