Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PC-SOFT_Set-Up.exe

Overview

General Information

Sample Name:PC-SOFT_Set-Up.exe
Analysis ID:831158
MD5:f448d2bbece9ffca6d35b72ad699c545
SHA1:acab3e78eb72b8cde7f686a7adce243e819fa5ed
SHA256:bf83c57f5b1ae62b3a671d93d263d9704c4e5dc82a4b381b216afd7b1d4764aa
Tags:exeexpert-topcommalwarepass-1212stealer
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: C000007B

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Machine Learning detection for sample
PE file contains section with special chars
PE file overlay found
Uses 32bit PE files
Entry point lies outside standard sections
PE file contains sections with non-standard names

Classification

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: PC-SOFT_Set-Up.exeJoe Sandbox ML: detected
Source: PC-SOFT_Set-Up.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

System Summary

barindex
PE file contains section with special chars
Source: PC-SOFT_Set-Up.exeStatic PE information: section name: .Y :
Source: PC-SOFT_Set-Up.exeStatic PE information: section name: .(Y,
Source: PC-SOFT_Set-Up.exeStatic PE information: Data appended to the last section found
Source: PC-SOFT_Set-Up.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal48.winEXE@0/0@0/0
Source: PC-SOFT_Set-Up.exeStatic file information: File size 10371193 > 1048576
Source: PC-SOFT_Set-Up.exeStatic PE information: Raw size of .tve is bigger than: 0x100000 < 0x997400
Source: PC-SOFT_Set-Up.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: initial sampleStatic PE information: section where entry point is pointing to: .tve
Source: PC-SOFT_Set-Up.exeStatic PE information: section name: .Y :
Source: PC-SOFT_Set-Up.exeStatic PE information: section name: .(Y,
Source: PC-SOFT_Set-Up.exeStatic PE information: section name: .tve

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PC-SOFT_Set-Up.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:831158
Start date and time:2023-03-21 07:06:12 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:0
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:PC-SOFT_Set-Up.exe
Detection:MAL
Classification:mal48.winEXE@0/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Unable to launch sample, stop analysis

Errors

  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: C000007B

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.962363679493409
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:PC-SOFT_Set-Up.exe
File size:10371193
MD5:f448d2bbece9ffca6d35b72ad699c545
SHA1:acab3e78eb72b8cde7f686a7adce243e819fa5ed
SHA256:bf83c57f5b1ae62b3a671d93d263d9704c4e5dc82a4b381b216afd7b1d4764aa
SHA512:08a5c4adc2ec0112547f1f7705e1bcf29d40700e8f16bfaa752ad542ce0fa956e761e8bacc31343d92d26dea0d244acf2d5f7811faee3d181c9984ccd316689e
SSDEEP:196608:BhzWfNRbFvKkdDlGBpcb5jIxprm3dbeNYieb6ifmhDEZmnr/KVx2B9to:BkhqBpcNcPr6beSOr/mxoHo
TLSH:15A63333A39D00C0C5D48D3A8937BEE9B8F61F775B06B97AF9A67AC10132594B311987
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~...............t.......t.......t..............|j......|j......|j......Rich....................PE..L......d...................

File Icon

Icon Hash:fe7be6c293b3d2e6

Static PE Info

General

Entrypoint:0x14101a0
Entrypoint Section:.tve
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x640C95D2 [Sat Mar 11 14:53:06 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:e9fa0dc321486a0834a2759b64589900

Entrypoint Preview

Instruction
push ebx
pushfd
mov ebx, 072D1758h
not bl
neg bx
test bl, 00000002h
push ebx
setle bl
and dword ptr [esp+ebx*2-0E5BD002h], 00361B9Eh
mov ebx, dword ptr [esp+ebx*2-0E5BCFFAh]
mov dword ptr [esp+08h], 5BC79C22h
push dword ptr [esp+04h]
popfd
lea esp, dword ptr [esp+08h]
call 00007FD560239FAEh
jmp 00007FD560A994F9h
jmp edi
mov bh, 08h
neg dword ptr [esi+1DA0DFBCh]
iretd
mov esp, 30D65AB3h
fidivr word ptr [eax-66CCCC7Bh]
das
add al, E9h
xor byte ptr [ebx+18h], dh
movsd
dec ebx
retf
pop ebx
jnp 00007FD560ACA85Ch
xor byte ptr [ebp+34B5FBE1h], dh
xor al, 29h
push edx
fmul st(0), st(7)
push ss
pop es
adc edi, ecx
or eax, dword ptr [ebp+47CF6779h]
xlatb
sbb eax, C0CBCC30h
xor eax, 5345C865h
or eax, 98ED306Bh
insd
movsd
cmp ecx, dword ptr [esi+ebx*2]
push es
test al, FFh
add eax, 7ACFC8B5h
mov al, byte ptr [14054FDAh]
loope 00007FD560ACA8ABh
mov al, A6h
mov cl, 2Bh
and bl, ch
add cl, byte ptr [esp+edx]
add ebp, edi
push di
xor ecx, eax
xor cl, byte ptr [edx-74h]
push es
test dword ptr [ecx+2D1ECDBDh], edx
mov eax, 591202C8h
fistp qword ptr [edi+4Dh]
shl ebp, cl
inc eax
popad
xchg eax, ecx
cmp dword ptr [eax+0000002Fh], eax

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1034ea80x8c.tve
IMAGE_DIRECTORY_ENTRY_RESOURCE0x10b80000x4c279.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x10b73600x38.tve
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x71f0000x1f0.(Y,
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x187f80x0False0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x1a0000x298a0x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1d0000x5dc0x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.Y :0x1e0000x7002d10x0unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.(Y,0x71f0000x3740x400False0.466796875data3.4850465125342907IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tve0x7200000x9973a00x997400unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x10b80000x4c2790x4c400False0.448377675689019data5.232399128159855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x10b82500x368Device independent bitmap graphic, 16 x 32 x 24, image size 832
RT_ICON0x10b85b80x748Device independent bitmap graphic, 24 x 48 x 24, image size 1824
RT_ICON0x10b8d000xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3200
RT_ICON0x10b99a80x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 7296
RT_ICON0x10bb6500x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12800
RT_ICON0x10be8780x70a8Device independent bitmap graphic, 96 x 192 x 24, image size 28800
RT_ICON0x10c59200xc828Device independent bitmap graphic, 128 x 256 x 24, image size 51200
RT_ICON0x10d21480x32028Device independent bitmap graphic, 256 x 512 x 24, image size 204800
RT_GROUP_ICON0x11041700x76data
RT_MANIFEST0x11041e80x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
KERNEL32.dllLocalSize, lstrlenA, LocalAlloc, IsBadCodePtr, GetProcAddress, LoadLibraryA
GDI32.dllGetDeviceCaps
ole32.dllCoInitialize
KERNEL32.dllGetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, LoadLibraryA, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, WriteConsoleW, SetStdHandle, IsProcessorFeaturePresent, DecodePointer, GetCommandLineA, RaiseException, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringW, GetStringTypeW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapSize, WriteFile, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, HeapReAlloc, VirtualQuery
USER32.dllCharUpperBuffW
KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

No statistics

System Behavior

No system behavior

Disassembly

No disassembly