Edit tour

Windows Analysis Report
crash.bat

Overview

General Information

Sample Name:	crash.bat
Analysis ID:	1347525
MD5:	bc9ae5fde063670508888399f65b2fee
SHA1:	8f86773a0da30ccb9e8ba9090a6a405d9a73c510
SHA256:	ac47215a8231818e4c424012c1527a3e70087739865b035be9b47fb75d34c030
Tags:	bat
Infos:

Detection

Strela Stealer

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Strela Stealer

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

C2 URLs / IPs found in malware configuration

Yara detected EXE embedded in BAT file

Queries the volume information (name, serial number etc) of a device

Drops PE files

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6408 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\crash.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

findstr.exe (PID: 4128 cmdline: findstr /V ambitious ""C:\Users\user\Desktop\crash.bat"" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

certutil.exe (PID: 5272 cmdline: certutil -f -decode hellish therapeutic.dll MD5: F17616EC0522FC5633151F7CAA278CAA)

rundll32.exe (PID: 6332 cmdline: rundll32 therapeutic.dll,x MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

Threatname: Strela Stealer

{
  "C2 url": "91.215.85.209/server.php"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
crash.bat	JoeSecurity_EXEembeddedinBATfile	Yara detected EXE embedded in BAT file	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 6332	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.6d820404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d820404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d7c0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Binary or memory string: 2F7GBgR0X+pDh86G55YUG2XlqGfQ+ZOwKH6XZucGP1Yf9NfVunx56/pX+LCMxI/UByb4Rl9o+gFlBA6ElBWgpw5ntMUGHxQ+NRQWcm9IiOApeftlGaK85A9GRxQrFKyLOtDXpwDGh4eztHwKe9kwsT55kn11KYqX5cIPB1woxeYCr3KUoAbIXK621teLbajJ+TB8BlJ2FbbTfvdyKSS10x96UsuLpZAuRHfTjJoee8VjvMcIYl6ViuBOY1uGEE0ZhZENGcfAVdv0e9lq+ME6KJFsyKNjD4sUA2/4MCFeypRh3GdpsS7w9CUhfMAnRfC/s6ayEY1SJFMRD/rFADPoGNGRE63bd+p4iFtIWTJm9OR0+2

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V ambitious ""C:\Users\user\Desktop\crash.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode hellish therapeutic.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 therapeutic.dll,x	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_6D81DC10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_6D81DC10

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 5.2.rundll32.exe.6d820404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d820404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6332, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 5.2.rundll32.exe.6d820404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d820404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6332, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Scripting	Path Interception	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Scripting	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
crash.bat	14%	ReversingLabs	Script-JS.Packed.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\therapeutic.dll	40%	ReversingLabs	Win64.Trojan.StrelaStealer

Source	Detection	Scanner	Label	Link
91.215.85.209/server.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
91.215.85.209/server.php	true	Avira URL Cloud: malware	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1347525
Start date and time:	2023-11-24 18:06:36 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	crash.bat
Detection:	MAL
Classification:	mal88.troj.evad.winBAT@8/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 71% Number of executed functions: 5 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .bat Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: crash.bat

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (366), with CRLF line terminators
Category:	modified
Size (bytes):	723778
Entropy (8bit):	5.596221550727205
Encrypted:	false
SSDEEP:	12288:Y7oh5QoNGWGZyTPnjAmM9aZKTz1RpxFg+cO6lKc9NTu7i8AO7QXM3us4PXK:Y7oh5QKGWG0rboasThRpxr56si854PK
MD5:	C9C89A47C7D937EC0F26092DD8427B70
SHA1:	69B578F01B7386BE72D7CAFCB45BDA823FE29A97
SHA-256:	338DCBD0F75ABD063E351BF27C13255EC0F776964CCB7C148EC46806C158EC2E
SHA-512:	3300A7822EA99D5CE8D2B28108EAEA4AF1D2ECACAA5FCEAE9FB691531A1F8AD803010C10D2DC2BEE36EA922D284A18B3C169D350241A5106E2E814FB9A58B4E5
Malicious:	false
Reputation:	low
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYRALppuGQA6gcAkAMAAPAAJiALAgIeAOIFAAC4BwAACgAAMBMAAAAQAAAAAHxtAAAAAAAQAAAAAgAABAAAAAAAAAAFAAIAAAAAAADACAAABgAAoqMIAAMAAAAAACAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAIADwAAAAAEA..gAsAUAAAAAAAAAAAAAANAHADQCAAAAAAAAAAAAAABACABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAHACgAAAAAAAAAAAAAAAAAAAAAAAAAbBEIADABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAPjhBQAAEAAAAOIFAAAGAAAAAAAAAAAAAAAAAABgAFBgLmRhdGEAAADAvAEAAAAGAAC+AQAA6AUAAAAAAAAAAAAAAAAAQABQwC5yZGF0YQAAgAIAAADABwAABAAAAKYHAAAAAAAAAAAAAAAAAEAAYEAucGRhdGEAADQCAAAA0AcAAAQAAACqBwAAAAAAAAAAAAAAAABA..ADBALnhkYXRhAADMAQAAAOAHAAACAAAArgcAAAAAAAAAAAAAAAAAQAAwQC5ic3MAAAAAMAkAAADwBwAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAYMAuZWRhdGEAADwAAAAAAAgAAAIAAACwBwAAAAAAAAAAAAAAAABAADBALmlkYXRhAACwBQAAABAIAAAGAAAAsgcAAAAAAAAAAAAAAAAAQAAwwC5DUlQAAAAAWAAAAAAgCAAAAgAAALgHAAAAAAAAAAAAAAAA

C:\Users\user\AppData\Local\Temp\therapeutic.dll

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	539883
Entropy (8bit):	6.701081088318034
Encrypted:	false
SSDEEP:	6144:ERSCSg+gfUYRjOuVZFGNRwND7Pypwwf/43wWPpoApvmJraTKzv:ExN21wwCwTA8rSKD
MD5:	19808287DD44452A6DA3596468487675
SHA1:	D485F9EAAFE0BF0CF7EB77173E6050B54BA05611
SHA-256:	EFD7A52121867B0D7A60B0FD609FC47726002033662736D309A1B94AA857FB98
SHA-512:	2863BB7687A08AD36E8642FC6FDD4A4A9822D24A1D91DA4A0AC19389C1E6ACBEDAD23A803A497DC1C91BAEF6E19A4DBB4B4108007A5E2A88FFDC81047DFE2751
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....i.d..........& ................0.........\|m.............................................. .........................................<.......................4............@..d...........................@...(...................l...0............................text...............................`.P`.data...............................@.P..rdata..............................@.`@.pdata..4...........................@.0@.xdata..............................@.0@.bss....0.............................`..edata..<...........................@.0@.idata..............................@.0..CRT....X.... ......................@.@..tls.........0......................@.@..reloc..d....@......................@.0B/4......P....P......................@.PB/19..........`... ..................@..B/31.....I...........................@..B/45....."...........................@..B/57.....

Static File Info

General

File type:	ASCII text, with very long lines (366), with CRLF line terminators
Entropy (8bit):	5.618323533842012
TrID:
File name:	crash.bat
File size:	730'262 bytes
MD5:	bc9ae5fde063670508888399f65b2fee
SHA1:	8f86773a0da30ccb9e8ba9090a6a405d9a73c510
SHA256:	ac47215a8231818e4c424012c1527a3e70087739865b035be9b47fb75d34c030
SHA512:	922732a178c5c61e00d50702c9d2df52a946f113878947220ae26db2954475acdd475791b58b0f0b79a50c14ed539d0f3e0d447f9c041b6802a6a1f821fcba47
SSDEEP:	12288:O7oh5QoNGWGZyTPnjAmM9aZKTz1RpxFg+cO6lKc9NTu7i8AO7QXM3us4PXc:O7oh5QKGWG0rboasThRpxr56si854Pc
TLSH:	7BF44BF472D077D70F75694DB3CE40B23D54B457F0EEEE86228D0D1E928429899ABEA0
File Content Preview:	/* ambitious..set ambitiouskillprovide=y..set ambitiousraspylanguage=e..set ambitiousfranticsense=h..set ambitioustangibledamaged=z..set ambitioushuntoatmeal=r..set ambitiouspointlessopposite=a..set ambitiouspreparearithmetic=b..set ambitioussplendidirrit

File Icon


Icon Hash:	9686878b929a9886

• cmd.exe
• conhost.exe
• findstr.exe
• certutil.exe
• rundll32.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• findstr.exe
• certutil.exe
• rundll32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	18:07:22
Start date:	24/11/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\crash.bat" "
Imagebase:	0x7ff667f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:07:22
Start date:	24/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:07:22
Start date:	24/11/2023
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V ambitious ""C:\Users\user\Desktop\crash.bat""
Imagebase:	0x7ff77a030000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:07:30
Start date:	24/11/2023
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decode hellish therapeutic.dll
Imagebase:	0x7ff7290a0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:07:30
Start date:	24/11/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 therapeutic.dll,x
Imagebase:	0x7ff761c90000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	58.1%
Signature Coverage:	3.5%
Total number of Nodes:	258
Total number of Limit Nodes:	13

Executed Functions

Function 000001A500BA1B10 Relevance: .2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab90fbaa547de31237a47299d8dcf17c26792cfeb83a94c4f8be24b4767d41f
Instruction ID: 61054f9382f32c4ac9ea1178ae9625a47fc27e24cbbb7d4c912a12a52aa11be6
Opcode Fuzzy Hash: 4ab90fbaa547de31237a47299d8dcf17c26792cfeb83a94c4f8be24b4767d41f
Instruction Fuzzy Hash: EA510A3160CA548BF76CDF28DC4D2EE77E6FB86321F40492EE08BDA095EA39D5058742

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BAA750 Relevance: 1.7, APIs: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e394acae8d0c5c1d098580eb93f18f15118eb964f95ba87f72cb3a85f677172b
Instruction ID: 3375e26fd570dfd76608c66295022ab4b508625d8c77ab56bb4f964671769b4b
Opcode Fuzzy Hash: e394acae8d0c5c1d098580eb93f18f15118eb964f95ba87f72cb3a85f677172b
Instruction Fuzzy Hash: 3B51283131DE194FF759AB199D882BA33C2E79A321F14412DF446C32A9EF24EC028697

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA9720 Relevance: 1.6, APIs: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000001A500BA5F77), ref: 000001A500BA9739

Part of subcall function 000001A500BA7024: RtlAllocateHeap.NTDLL ref: 000001A500BA7062

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateEnvironmentHeapStrings
String ID:
API String ID: 4128402249-0
Opcode ID: 2c7e0ff2c99f30fc8464828f7296def7d9bda60d9e6e20c17c4b7a38986661b7
Instruction ID: 5f42d48406437a9bafe784ea15ec93e6fac36cafb721abca148ade9b4c6f48e6
Opcode Fuzzy Hash: 2c7e0ff2c99f30fc8464828f7296def7d9bda60d9e6e20c17c4b7a38986661b7
Instruction Fuzzy Hash: E731B03072DF2C4FEBA4AF6859452AE76D2FB4A360F40052EB48AC3295DB30CC409783

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA7024 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 000001A500BA7062

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b20df32957e6063642f50c38a775f15869f834a38cfda6d0d60968ee64a1a189
Instruction ID: da4c17991da7649d662b2b406cda3189ef9cbb0bd31efea1c240edb619424187
Opcode Fuzzy Hash: b20df32957e6063642f50c38a775f15869f834a38cfda6d0d60968ee64a1a189
Instruction Fuzzy Hash: 43F0893036EE154AFB74A7790E957BD21C2EB5B331F4414247882C21DAEE68C840C113

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA6468 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000001A500BA6464), ref: 000001A500BA6493

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d31ba4df86540271e51aa99aa21df2c9756cccc32a690f4676fb70f3e9fc18fc
Instruction ID: ec73f00b541cdb9896a9ff6d7150ad045e9bf0429e99672c1802fe73b275d7fd
Opcode Fuzzy Hash: d31ba4df86540271e51aa99aa21df2c9756cccc32a690f4676fb70f3e9fc18fc
Instruction Fuzzy Hash: 21D05E747496044BFF587BB05A982ED2752CB4A315F0418297543CB7DBCE3988088742

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6D81DC10 Relevance: 7.6, APIs: 5, Instructions: 56
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6D81DC55
GetCurrentProcessId.KERNEL32 ref: 6D81DC60
GetCurrentThreadId.KERNEL32 ref: 6D81DC69
GetTickCount.KERNEL32 ref: 6D81DC71
QueryPerformanceCounter.KERNEL32 ref: 6D81DC7E

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 7b63a19cbcc4ce6c2eef7467b078b1d9941821b456779c70f1005518f10611cf
Instruction ID: dc4c99784f0eceae880f772b6ee7880057ed01f0d7846c8e2fb2d0e79bb9d06c
Opcode Fuzzy Hash: 7b63a19cbcc4ce6c2eef7467b078b1d9941821b456779c70f1005518f10611cf
Instruction Fuzzy Hash: 0311E366B15A5559FB204B25FC08359B3A1B789BF0F085B329E9C43BA4EF3CD5A6C300

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BAE9E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001A500BAEC37

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: d56964a5f49c9b40b8adc3917d1bac2300405c3cd4435244373557d2ff83d0fa
Instruction ID: 2a3ef0b6834bf05503d218d5c3093e3255783d19e38027ed4569b3ed3c07872b
Opcode Fuzzy Hash: d56964a5f49c9b40b8adc3917d1bac2300405c3cd4435244373557d2ff83d0fa
Instruction Fuzzy Hash: 86C19130214B5D8FEB98CF1CC58AB9937E1FF46324F558599E8A9CB2A5C335D851CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA1240 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899b2e6578edd9a1b095aa592ee760f9b6ad1a4752dc88a3c39aa905f43cb305
Instruction ID: a85a192abc7f1ff53552e08edf989bfa38993b67d13dae534bd9874faa265f21
Opcode Fuzzy Hash: 899b2e6578edd9a1b095aa592ee760f9b6ad1a4752dc88a3c39aa905f43cb305
Instruction Fuzzy Hash: 95E15F70618B888BEB65DF18D8957EE77E2FB95314F004A1EE48AD3164DF349641CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6D7C2C77 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f54bf6f7cd7cba3dbdddf3265dfadd7ee59e53b54eee2a6ff8b64330d62a57d
Instruction ID: 29b6ddb054953b6d4a777895ccff16241a250442a8f8053ecf451a46508fa725
Opcode Fuzzy Hash: 4f54bf6f7cd7cba3dbdddf3265dfadd7ee59e53b54eee2a6ff8b64330d62a57d
Instruction Fuzzy Hash: 8CB1CFAB7E19021CFA26593A8B217DF1E71A362778F277F019E305B3F6C67A414A5200

Uniqueness

Uniqueness Score: -1.00%

Function 6D7C270C Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8aa46beac6f61392775fce6f5ab917fb2a0dd34b8b9cfb237716bfd4e88f00a
Instruction ID: 29f217926de9602ca570867c581fe4ec0a1a87a3d1c758fcd6d10006fa8c929c
Opcode Fuzzy Hash: f8aa46beac6f61392775fce6f5ab917fb2a0dd34b8b9cfb237716bfd4e88f00a
Instruction Fuzzy Hash: DEB1CFAB7F19021CFA26593A8B217DF1E71A362778F277F019E305B3F6C67A414A5200

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA1740 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d4d12f09b85e87e1a7be2692fdd10d2d9dc54227c38850a4f6943f9870d6fb
Instruction ID: ba658fe966d3e57b3957416f339266c0852be430448c116943fcffc5f4475e76
Opcode Fuzzy Hash: 93d4d12f09b85e87e1a7be2692fdd10d2d9dc54227c38850a4f6943f9870d6fb
Instruction Fuzzy Hash: 41B18331208E588FEB69EF28DC557EE73E1FB95311F00462AE49BD3195DF349A058B82

Uniqueness

Uniqueness Score: -1.00%

Function 6D7C144B Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6da2e321d4bf3fd84724f255799914a25ae5704a16a1417d17132af3f424d289
Instruction ID: d4f2f25ec7426b8464927d4aca7167910f7f69772aff0995487297ba58a4fa99
Opcode Fuzzy Hash: 6da2e321d4bf3fd84724f255799914a25ae5704a16a1417d17132af3f424d289
Instruction Fuzzy Hash: D8B1D8BB7A1A8108FB258B399B147EF2A70B351BB8F127B15DE384B7F4DE7941419210

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA67BC Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10fd97f69d521058c5aaafffa8a1be1807758c8cba4beff399fa7c1d450c5e9
Instruction ID: 9e18d947b1c9bf90ce37c65089e273495e7575b0c17c67a780e45c31c4a56f65
Opcode Fuzzy Hash: f10fd97f69d521058c5aaafffa8a1be1807758c8cba4beff399fa7c1d450c5e9
Instruction Fuzzy Hash: 46512732318E1C4FDB1CDF2CD4996B973D2E7AE320B15822EF44AC72A5DA34D8468781

Uniqueness

Uniqueness Score: -1.00%

Function 6D81E0A0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,6D7C1278), ref: 6D81E1CD

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6D81E34E
Unknown pseudo relocation bit size %d., xrefs: 6D81E33A

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: 6a91665792fec78edc54ec87d1a1cae77512886ada2b9dbbd0315f0d1a4e7ab3
Instruction ID: ff1745f3972e441fec5f5b57a2a42a21c1ce8358a078399f35ff96db60abdbfd
Opcode Fuzzy Hash: 6a91665792fec78edc54ec87d1a1cae77512886ada2b9dbbd0315f0d1a4e7ab3
Instruction Fuzzy Hash: DB910231B1C6638AEB1687A9DC48B5E7362B745BA8F518D16DE1CC3F94DA3DC0898701

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA4558 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001A500BA45B5

Part of subcall function 000001A500BA54B4: __GetUnwindTryBlock.LIBCMT ref: 000001A500BA54F7
Part of subcall function 000001A500BA54B4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001A500BA551C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001A500BA468D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001A500BA48E2
std::bad_alloc::bad_alloc.LIBCMT ref: 000001A500BA49EE

Strings

csm, xrefs: 000001A500BA46B0
csm, xrefs: 000001A500BA45CF
csm, xrefs: 000001A500BA4636

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 39137d1223ea651748fe43d48d6e13ffbffa615f9d97bbdaf1a448efdaf38685
Instruction ID: eb22345454b1660919b98ed3c7e4d59cba6c46cc336cc348476a69b9ea738d33
Opcode Fuzzy Hash: 39137d1223ea651748fe43d48d6e13ffbffa615f9d97bbdaf1a448efdaf38685
Instruction Fuzzy Hash: 41F17E30619E588FEB54EF5885417ED77E2FB9B320F500659F489C329ADB70A981CB83

Uniqueness

Uniqueness Score: -1.00%

Function 6D81DED0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 6D81DF7B
VirtualProtect.KERNEL32 ref: 6D81E022
GetLastError.KERNEL32 ref: 6D81E030

Strings

Address %p has no image-section, xrefs: 6D81E08D
VirtualProtect failed with code 0x%x, xrefs: 6D81E036
VirtualQuery failed for %d bytes at address %p, xrefs: 6D81E077

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 637304234-2123141913
Opcode ID: ed214b71aab825f5803fae0610a2ccb6b171a412dd13c7b99c2e70dc9578d3e0
Instruction ID: 7fc2b58eacafb6c883691fae477f2a0488e92ea9f9e2691163276c902dac7f84
Opcode Fuzzy Hash: ed214b71aab825f5803fae0610a2ccb6b171a412dd13c7b99c2e70dc9578d3e0
Instruction Fuzzy Hash: 75510F73B09A528AE7118F66EC0879D73A5F795BA4F018912EE1D83754EF38C249C300

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA2770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A500BA279B
_IsNonwritableInCurrentImage.LIBCMT ref: 000001A500BA2830

Strings

csm, xrefs: 000001A500BA2816
f, xrefs: 000001A500BA27AE

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 83378c33feeee9c4e103d0aeda362cd02856fccc2569b0da28eb2b5b44c07327
Instruction ID: c60027bac8376a07c7590ed3cd94d06ed8bac94341e067680561074cdf7f09f6
Opcode Fuzzy Hash: 83378c33feeee9c4e103d0aeda362cd02856fccc2569b0da28eb2b5b44c07327
Instruction Fuzzy Hash: 3761B23071DD258BEF5CAF1CD9857A973D2FB56360F50416DF8C6C329ADA20EC418A86

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA4D8C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001A500BA4DB4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001A500BA4E9C

Strings

csm, xrefs: 000001A500BA4DD6
csm, xrefs: 000001A500BA4EEE

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: d5ea70ca177011969eb85e430d49eb803d467ac3b2a0863a2be913de104a1ddc
Instruction ID: a0d53d2f63918ac3acc94d2151d20904ce42116fb0c0e2c157db59552b9a1ce8
Opcode Fuzzy Hash: d5ea70ca177011969eb85e430d49eb803d467ac3b2a0863a2be913de104a1ddc
Instruction Fuzzy Hash: 70715030309E248FEBA89B1881843ACB7D2FB97325F64515AB499C66DAC7B1D881C743

Uniqueness

Uniqueness Score: -1.00%

Function 6D7C1010 Relevance: 6.1, APIs: 4, Instructions: 131
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 6D7C1057
_amsg_exit.MSVCRT ref: 6D7C1081

Memory Dump Source

Source File: 00000005.00000002.2081689356.000000006D7C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D7C0000, based on PE: true

Associated: 00000005.00000002.2081676559.000000006D7C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081719467.000000006D820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081735965.000000006D83C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081747544.000000006D841000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D846000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2081758280.000000006D84B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d7c0000_rundll32.jbxd

Yara matches

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 2b49f828df25c7504276480ae1f8d3e5692604d7af01f57826d84bd0556cc8c9
Instruction ID: e0a8b54186713688f984d1e52cb8d521f43b4d6b19b3803fe2e3250357c5b56a
Opcode Fuzzy Hash: 2b49f828df25c7504276480ae1f8d3e5692604d7af01f57826d84bd0556cc8c9
Instruction Fuzzy Hash: DB419032B056558EE7038B9AEE5475522A6B784BE5F898437DE1C87350DF3EC4D1C342

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA1DEC Relevance: 6.1, APIs: 4, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 000001A500BA1DFB

Part of subcall function 000001A500BA1FB0: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001A500BA1FD2

__scrt_acquire_startup_lock.LIBCMT ref: 000001A500BA1E10
__scrt_release_startup_lock.LIBCMT ref: 000001A500BA1E7E
__scrt_get_show_window_mode.LIBCMT ref: 000001A500BA1ED1

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: fff619cecbfd043d8d146dc78237dedbc44789d86068deb7e7ce02ed1ecd986d
Instruction ID: 52342516f831e02accb15e050379f4ac2cae087dd46d0ee8c0ba7517b30eb1a0
Opcode Fuzzy Hash: fff619cecbfd043d8d146dc78237dedbc44789d86068deb7e7ce02ed1ecd986d
Instruction Fuzzy Hash: AA417C3070EE648EFB98A76CCA553ED3293AB57321F44492878C6D72DBDE2948458253

Uniqueness

Uniqueness Score: -1.00%

Function 000001A500BA4A30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001A500BA4ACB

Strings

MOC, xrefs: 000001A500BA4A91
RCC, xrefs: 000001A500BA4A9A

Memory Dump Source

Source File: 00000005.00000002.2081890082.000001A500BA1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A500BA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1a500ba1000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 5ea54aec067562482f4b68b493fd0d2592e30a206b4815ae92b23c2db257c6ef
Instruction ID: 9e7482e7cdd47045e33c822e59873056db3e81fdd74ad3e3f470971c10561f22
Opcode Fuzzy Hash: 5ea54aec067562482f4b68b493fd0d2592e30a206b4815ae92b23c2db257c6ef
Instruction Fuzzy Hash: 38719E30619A1C8FEB58EF58C5427EDB3E1FB9A310F100259F48AD3156D7B4E9418B82

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2C77	5_2_6D7C2C77
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C144B	5_2_6D7C144B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C270C	5_2_6D7C270C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A500BA1B10	5_2_000001A500BA1B10
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A500BAE9E8	5_2_000001A500BAE9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A500BA1240	5_2_000001A500BA1240
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A500BA67BC	5_2_000001A500BA67BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A500BA1740	5_2_000001A500BA1740

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C1F78 pushfq ; ret	5_2_6D7C1F7D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3D74 pushfq ; ret	5_2_6D7C3D79
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3E6D pushfq ; ret	5_2_6D7C3E72
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C366F pushfq ; ret	5_2_6D7C3674
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2D6A pushfq ; ret	5_2_6D7C2D6E
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3352 pushfq ; ret	5_2_6D7C3357
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C4737 pushfq ; ret	5_2_6D7C473C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C1A2D pushfq ; ret	5_2_6D7C1A31
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C232A pushfq ; ret	5_2_6D7C232F
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3F27 pushfq ; ret	5_2_6D7C3F2C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3017 pushfq ; ret	5_2_6D7C301C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C390D pushfq ; ret	5_2_6D7C3912
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C1B03 pushfq ; ret	5_2_6D7C1B08
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C39F5 pushfq ; ret	5_2_6D7C39FA
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C40E2 pushfq ; ret	5_2_6D7C40E7
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2BD7 pushfq ; ret	5_2_6D7C2BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C4997 pushfq ; ret	5_2_6D7C499C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001A500BB654E push ecx; retf 003Fh	5_2_000001A500BB65AE

Source: therapeutic.dll.4.dr	Static PE information: section name: .xdata
Source: therapeutic.dll.4.dr	Static PE information: section name: /4
Source: therapeutic.dll.4.dr	Static PE information: section name: /19
Source: therapeutic.dll.4.dr	Static PE information: section name: /31
Source: therapeutic.dll.4.dr	Static PE information: section name: /45
Source: therapeutic.dll.4.dr	Static PE information: section name: /57
Source: therapeutic.dll.4.dr	Static PE information: section name: /70

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\crash.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V ambitious ""C:\Users\user\Desktop\crash.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode hellish therapeutic.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 therapeutic.dll,x
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V ambitious ""C:\Users\user\Desktop\crash.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decode hellish therapeutic.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 therapeutic.dll,x	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report crash.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Strela Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\hellish

C:\Users\user\AppData\Local\Temp\therapeutic.dll

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 6408, Parent PID: 1028

General

File Activities

File Opened

File Created

File Read

File Attributes Queried

Other File Operations

Windows Analysis Report
crash.bat