Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
i2wBlKtxrM.exe

Overview

General Information

Sample Name:i2wBlKtxrM.exe
Original Sample Name:6f7332625d573ccc7b14264ee0db7e671305e1206c7eaf920e17c26f7b5b64a7
Analysis ID:2476126
MD5:3d114954f3c8b60f05e56e4cb4ea2c1c
SHA1:219309830ee31d06c21abb8bdbcd68c610093152
SHA256:6f7332625d573ccc7b14264ee0db7e671305e1206c7eaf920e17c26f7b5b64a7
Infos:

Detection

SolarMarker
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:48
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Yara detected SolarMarker Dropper
Yara detected SolarMarker
Machine Learning detection for sample
.NET source code contains very large strings
Detected PE file pumping (to bypass AV & sandboxing)
Sample uses string decryption to hide its real strings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a process in suspended mode (likely to inject code)

Classification