Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Yoh6xJ4fc5.exe

Overview

General Information

Sample Name:Yoh6xJ4fc5.exe
Analysis ID:778224
MD5:d14ceedb53cf5316ecc6a09eace27be4
SHA1:ba84d27b6ce687fe6360fa1f55efd78fca01f94f
SHA256:118c81907f82df9e435fc2dae7ab84cf61d07f628ac1238f615fdc16c81e6a88
Tags:exe
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: C000007B

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file overlay found
PE file contains executable resources (Code or Archives)

Classification

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Yoh6xJ4fc5.exeLinux_Trojan_Pornoasset_927f314funknownunknown
  • 0x146304:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Yoh6xJ4fc5.exeVirustotal: Detection: 44%Perma Link
Machine Learning detection for sample
Source: Yoh6xJ4fc5.exeJoe Sandbox ML: detected
Source: Yoh6xJ4fc5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: Yoh6xJ4fc5.exe, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Potential malicious icon found
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Source: Yoh6xJ4fc5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Yoh6xJ4fc5.exe, type: SAMPLEMatched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: Yoh6xJ4fc5.exeBinary or memory string: OriginalFilenameServicevcs.exe vs Yoh6xJ4fc5.exe
Source: Yoh6xJ4fc5.exeStatic PE information: Data appended to the last section found
Source: Yoh6xJ4fc5.exeStatic PE information: Resource name: CUSTOM type: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Source: Yoh6xJ4fc5.exeVirustotal: Detection: 44%
Source: Yoh6xJ4fc5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal68.rans.winEXE@0/0@0/0
Source: Yoh6xJ4fc5.exeBinary or memory string: @@@*\AE:\miner\new\Project1.vbp
Source: Yoh6xJ4fc5.exeStatic file information: File size 2164910 > 1048576
Source: Yoh6xJ4fc5.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x7f3000
Source: Yoh6xJ4fc5.exeStatic PE information: real checksum: 0x7fe176 should be: 0x21942f

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Yoh6xJ4fc5.exe44%VirustotalBrowse
Yoh6xJ4fc5.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:778224
Start date and time:2023-01-05 08:20:10 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 39s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Yoh6xJ4fc5.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.rans.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: C000007B

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.225533763154112
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Yoh6xJ4fc5.exe
File size:2164910
MD5:d14ceedb53cf5316ecc6a09eace27be4
SHA1:ba84d27b6ce687fe6360fa1f55efd78fca01f94f
SHA256:118c81907f82df9e435fc2dae7ab84cf61d07f628ac1238f615fdc16c81e6a88
SHA512:e644633ca5a6a1ff368b8ff5fee3cafeec43475e68a715dfa72f0fa4051d117872da1bfaeef6ca163a6c309e0a7e7a4ac45315502feba8e770e57345f6302e36
SSDEEP:49152:0/2N9SdDAe7HNEZ6ia/ulEVuaMYEuFShvXAaiW5DjocFtZLj2XMhpF25FxjZVqiQ:0/eSdMeEZvlEVuaMYPShvXAaiW5Djocb
TLSH:4FA52917E19350FCC67BC134875BA573B972F86912307EBF2664DB342E62E60262DB24
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...*...*...*...6...*...5...*..t5...*..Rich.*..................PE..L....fvb.................0...@...............@....@........

File Icon

Icon Hash:20047c7c70f0e004

Static PE Info

General

Entrypoint:0x401318
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x62766604 [Sat May 7 12:28:52 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:1a903a65eaa735683683eef11a03cfb0

Entrypoint Preview

Instruction
push 004014A4h
call 00007F3B60F99AB5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, al
mov bl, A9h
in eax, 63h
or dh, byte ptr [ebx+0F7D8943h]
and esi, ebx
inc edi
jecxz 00007F3B60F99AC2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], dh
xor dh, byte ptr [eax]
xor al, 33h
xor byte ptr [eax+72h], dl
outsd
push 00000065h
arpl word ptr [ecx+esi+00h], si
xor byte ptr [30303043h], ch
sub eax, 00000000h
dec esp
xor dword ptr [eax], eax
add byte ptr [esp+edx], bh
mov seg?, word ptr [ecx]
add cl, 0000002Ah
inc esp
xchg eax, ebx
mov ecx, 975E124Ch
imul ebx, dword ptr [edi+582A52BDh], 4B86047Eh
xchg byte ptr [esi-56h], bh
retn 58EAh
sqrtps xmm7, dqword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ebp
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [726F4600h], al
insd
xor dword ptr [eax], eax
or eax, 46000501h
outsd
jc 00007F3B60F99B2Fh
xor dword ptr [eax], eax
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x2be40x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000x7f2f3c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000xf4.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x20800x3000False0.2984212239583333data4.071789033390128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x40000xa5c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x50000x7f2f3c0x7f3000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
CUSTOM0x7f7e7c0xc0emptyEnglishUnited States
CUSTOM0x7f45ac0x38d0emptyEnglishUnited States
CUSTOM0x59ac0x7eec00PE32+ executable (console) x86-64 (stripped to external PDB), for MS WindowsEnglishUnited States
RT_ICON0x587c0x130Device independent bitmap graphic, 32 x 64 x 1, image size 256
RT_ICON0x55940x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640
RT_ICON0x546c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
RT_GROUP_ICON0x543c0x30data
RT_VERSION0x52500x1ecdataEnglishUnited States

Imports

DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaPutOwner3, __vbaI2I4, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaStrToAnsi, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly