Edit tour
Windows
Analysis Report
myidJB8lDL.exe
Overview
General Information
| Sample name: | myidJB8lDL.exerenamed because original name is a hash value |
| Original sample name: | b83412ee8e4b5e4b96d43ff7832cac8f.exe |
| Analysis ID: | 1363401 |
| MD5: | b83412ee8e4b5e4b96d43ff7832cac8f |
| SHA1: | 40db2bcf274f0968cc8f9c153fb88b13821af357 |
| SHA256: | 446cf6ac1de71c4307ec105d6fa09d48b7fd65f788c1be8fcea56ba097a6d818 |
| Tags: | exenjratRAT |
| Infos: |  |
 | |
Detection
Njrat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables zone checking for all users
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Yara signature match
Classification
- System is w10x64
myidJB8lDL.exe (PID: 6820 cmdline: C:\Users\u ser\Deskto p\myidJB8l DL.exe MD5: B83412EE8E4B5E4B96D43FF7832CAC8F) - server.exe (PID: 3484 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\server .exe" MD5: B83412EE8E4B5E4B96D43FF7832CAC8F) - netsh.exe (PID: 6184 cmdline:
netsh fire wall add a llowedprog ram "C:\Us ers\user\A ppData\Loc al\Temp\se rver.exe" "server.ex e" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF) 
conhost.exe (PID: 6312 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- Microsoft Corporation.exe (PID: 6312 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\Mic rosoft Cor poration.e xe" MD5: B83412EE8E4B5E4B96D43FF7832CAC8F)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| NjRAT | RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored. |
{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "c57556e5735bc2d214eb9a21cf22ff31", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
| CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
| Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
| MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
| Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
| Click to see the 15 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
| Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
| Click to see the 3 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Windows_Trojan_Njrat_30f3c220 | unknown | unknown |
| |
| CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
| Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
| MALWARE_Win_NjRAT | Detects NjRAT / Bladabindi | ditekSHen |
|
⊘No Sigma rule has matched
| Timestamp: | 192.168.2.43.69.115.17849736124192814856 12/16/23-14:32:34.069646 |
| SID: | 2814856 |
| Source Port: | 49736 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849738124192814856 12/16/23-14:33:07.134713 |
| SID: | 2814856 |
| Source Port: | 49738 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849744124192814856 12/16/23-14:35:56.314002 |
| SID: | 2814856 |
| Source Port: | 49744 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049742124192033132 12/16/23-14:34:40.325313 |
| SID: | 2033132 |
| Source Port: | 49742 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049743124192033132 12/16/23-14:35:11.327522 |
| SID: | 2033132 |
| Source Port: | 49743 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049743124192814860 12/16/23-14:35:13.739948 |
| SID: | 2814860 |
| Source Port: | 49743 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849744124192033132 12/16/23-14:35:56.072047 |
| SID: | 2033132 |
| Source Port: | 49744 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849736124192033132 12/16/23-14:32:33.827942 |
| SID: | 2033132 |
| Source Port: | 49736 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849729124192814856 12/16/23-14:32:00.247681 |
| SID: | 2814856 |
| Source Port: | 49729 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849738124192825564 12/16/23-14:33:11.248802 |
| SID: | 2825564 |
| Source Port: | 49738 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849739124192814856 12/16/23-14:33:41.766455 |
| SID: | 2814856 |
| Source Port: | 49739 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049740124192814856 12/16/23-14:34:16.768267 |
| SID: | 2814856 |
| Source Port: | 49740 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849729124192825564 12/16/23-14:32:04.581044 |
| SID: | 2825564 |
| Source Port: | 49729 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849739124192825564 12/16/23-14:33:42.660469 |
| SID: | 2825564 |
| Source Port: | 49739 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049743124192814856 12/16/23-14:35:11.568835 |
| SID: | 2814856 |
| Source Port: | 49743 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849729124192033132 12/16/23-14:32:00.007016 |
| SID: | 2033132 |
| Source Port: | 49729 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849738124192033132 12/16/23-14:33:06.894258 |
| SID: | 2033132 |
| Source Port: | 49738 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849739124192033132 12/16/23-14:33:41.525416 |
| SID: | 2033132 |
| Source Port: | 49739 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849738124192814860 12/16/23-14:33:11.248802 |
| SID: | 2814860 |
| Source Port: | 49738 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049742124192814856 12/16/23-14:34:40.567429 |
| SID: | 2814856 |
| Source Port: | 49742 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049741124192814856 12/16/23-14:34:36.971005 |
| SID: | 2814856 |
| Source Port: | 49741 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849729124192814860 12/16/23-14:32:04.581044 |
| SID: | 2814860 |
| Source Port: | 49729 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049741124192033132 12/16/23-14:34:36.729114 |
| SID: | 2033132 |
| Source Port: | 49741 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.115.17849739124192814860 12/16/23-14:33:42.660469 |
| SID: | 2814860 |
| Source Port: | 49739 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049740124192033132 12/16/23-14:34:16.527045 |
| SID: | 2033132 |
| Source Port: | 49740 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.43.69.157.22049743124192825564 12/16/23-14:35:13.739948 |
| SID: | 2825564 |
| Source Port: | 49743 |
| Destination Port: | 12419 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Malware Configuration Extractor: | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Spreading | |
|---|
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | ASN Name: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | Window created: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
| Source: | Window created: | Jump to behavior | ||
E-Banking Fraud | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary | |
|---|
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_055A4298 | |
| Source: | Code function: | 0_2_055A427D | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | |||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
Data Obfuscation | |
|---|
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings | |
|---|
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | .Net Code: | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 Replication Through Removable Media | Windows Management Instrumentation | 12 Registry Run Keys / Startup Folder | 12 Process Injection | 1 Masquerading | OS Credential Dumping | 11 Security Software Discovery | 21 Replication Through Removable Media | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Abuse Accessibility Features | Acquire Infrastructure | Gather Victim Identity Information |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 12 Registry Run Keys / Startup Folder | 41 Disable or Modify Tools | LSASS Memory | 2 Process Discovery | Remote Desktop Protocol | 1 Clipboard Data | Exfiltration Over Bluetooth | 1 Non-Standard Port | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
| Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 21 Virtualization/Sandbox Evasion | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Non-Application Layer Protocol | Data Encrypted for Impact | DNS Server | Email Addresses | ||
| Local Accounts | Cron | Login Hook | Login Hook | 12 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | Traffic Duplication | 1 Application Layer Protocol | Data Destruction | Virtual Private Server | Employee Names | ||
| Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 1 Peripheral Device Discovery | SSH | Keylogging | Scheduled Transfer | Fallback Channels | Data Encrypted for Impact | Server | Gather Victim Network Information | ||
| Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Data Transfer Size Limits | Multiband Communication | Service Stop | Botnet | Domain Properties | ||
| External Remote Services | Systemd Timers | Startup Items | Startup Items | Compile After Delivery | DCSync | 12 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over C2 Channel | Commonly Used Port | Inhibit System Recovery | Web Services | DNS |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 82% | Virustotal | Browse | ||
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 82% | Virustotal | Browse | ||
| 82% | Virustotal | Browse | ||
| 82% | Virustotal | Browse | ||
| 82% | Virustotal | Browse |
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 11% | Virustotal | Browse |
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| 6.tcp.eu.ngrok.io | 3.69.115.178 | true | true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 3.69.115.178 | 6.tcp.eu.ngrok.io | United States | 16509 | AMAZON-02US | true | |
| 3.69.157.220 | unknown | United States | 16509 | AMAZON-02US | true |
| Joe Sandbox version: | 38.0.0 Ammolite |
| Analysis ID: | 1363401 |
| Start date and time: | 2023-12-16 14:31:04 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 7m 50s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 9 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | myidJB8lDL.exerenamed because original name is a hash value |
| Original Sample Name: | b83412ee8e4b5e4b96d43ff7832cac8f.exe |
| Detection: | MAL |
| Classification: | mal100.spre.phis.troj.adwa.evad.winEXE@7/9@4/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
| Time | Type | Description |
|---|---|---|
| 13:31:58 | Autostart | |
| 13:32:08 | Autostart | |
| 14:32:32 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 3.69.115.178 | Get hash | malicious | Njrat | Browse | ||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Quasar | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | njRat | Browse | |||
| 3.69.157.220 | Get hash | malicious | Njrat | Browse | ||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | AsyncRAT, DcRat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Njrat | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | njRat | Browse | |||
| Get hash | malicious | njRat | Browse | |||
| Get hash | malicious | njRat | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 6.tcp.eu.ngrok.io | Get hash | malicious | Njrat | Browse |
| |
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | AsyncRAT, DcRat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AMAZON-02US | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| AMAZON-02US | Get hash | malicious | Mirai | Browse |
| |
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | Njrat | Browse |
| ||
| Get hash | malicious | Mirai | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
| ||
| Get hash | malicious | SmokeLoader | Browse |
| ||
| Get hash | malicious | RisePro Stealer, SmokeLoader, Vidar | Browse |
|
⊘No context
⊘No context
| Process: | C:\Users\user\AppData\Local\Temp\server.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93184 |
| Entropy (8bit): | 5.549094511461939 |
| Encrypted: | false |
| SSDEEP: | 1536:Sd4XkWOqipj69Qos0n2NDkNskqVR1mpwv:O43qj69QMGqxqVRQw |
| MD5: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| SHA1: | 40DB2BCF274F0968CC8F9C153FB88B13821AF357 |
| SHA-256: | 446CF6AC1DE71C4307EC105D6FA09D48B7FD65F788C1BE8FCEA56BA097A6D818 |
| SHA-512: | 8E189FF517E5613FB7D211E5B7589572B1C42B7C8B65E11935BA67AA89C7E1FAC7DBFD09EF242801451B49B859377CE706DE96143F1EAC6361E84FC157FE643C |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log
Download File
| Process: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 525 |
| Entropy (8bit): | 5.259753436570609 |
| Encrypted: | false |
| SSDEEP: | 12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve |
| MD5: | 260E01CC001F9C4643CA7A62F395D747 |
| SHA1: | 492AD0ACE3A9C8736909866EEA168962D418BE5A |
| SHA-256: | 4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030 |
| SHA-512: | 01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\myidJB8lDL.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 525 |
| Entropy (8bit): | 5.259753436570609 |
| Encrypted: | false |
| SSDEEP: | 12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve |
| MD5: | 260E01CC001F9C4643CA7A62F395D747 |
| SHA1: | 492AD0ACE3A9C8736909866EEA168962D418BE5A |
| SHA-256: | 4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030 |
| SHA-512: | 01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\myidJB8lDL.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93184 |
| Entropy (8bit): | 5.549094511461939 |
| Encrypted: | false |
| SSDEEP: | 1536:Sd4XkWOqipj69Qos0n2NDkNskqVR1mpwv:O43qj69QMGqxqVRQw |
| MD5: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| SHA1: | 40DB2BCF274F0968CC8F9C153FB88B13821AF357 |
| SHA-256: | 446CF6AC1DE71C4307EC105D6FA09D48B7FD65F788C1BE8FCEA56BA097A6D818 |
| SHA-512: | 8E189FF517E5613FB7D211E5B7589572B1C42B7C8B65E11935BA67AA89C7E1FAC7DBFD09EF242801451B49B859377CE706DE96143F1EAC6361E84FC157FE643C |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 
Download File
| Process: | C:\Users\user\AppData\Local\Temp\server.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93184 |
| Entropy (8bit): | 5.549094511461939 |
| Encrypted: | false |
| SSDEEP: | 1536:Sd4XkWOqipj69Qos0n2NDkNskqVR1mpwv:O43qj69QMGqxqVRQw |
| MD5: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| SHA1: | 40DB2BCF274F0968CC8F9C153FB88B13821AF357 |
| SHA-256: | 446CF6AC1DE71C4307EC105D6FA09D48B7FD65F788C1BE8FCEA56BA097A6D818 |
| SHA-512: | 8E189FF517E5613FB7D211E5B7589572B1C42B7C8B65E11935BA67AA89C7E1FAC7DBFD09EF242801451B49B859377CE706DE96143F1EAC6361E84FC157FE643C |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c57556e5735bc2d214eb9a21cf22ff31Windows Update.exe
Download File
| Process: | C:\Users\user\AppData\Local\Temp\server.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 93184 |
| Entropy (8bit): | 5.549094511461939 |
| Encrypted: | false |
| SSDEEP: | 1536:Sd4XkWOqipj69Qos0n2NDkNskqVR1mpwv:O43qj69QMGqxqVRQw |
| MD5: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| SHA1: | 40DB2BCF274F0968CC8F9C153FB88B13821AF357 |
| SHA-256: | 446CF6AC1DE71C4307EC105D6FA09D48B7FD65F788C1BE8FCEA56BA097A6D818 |
| SHA-512: | 8E189FF517E5613FB7D211E5B7589572B1C42B7C8B65E11935BA67AA89C7E1FAC7DBFD09EF242801451B49B859377CE706DE96143F1EAC6361E84FC157FE643C |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\Desktop\myidJB8lDL.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 5 |
| Entropy (8bit): | 2.321928094887362 |
| Encrypted: | false |
| SSDEEP: | 3:1n:1 |
| MD5: | 02B81B0CBE1FAAA1FA62D5FC876AB443 |
| SHA1: | D473CFE21FB1F188689415B0BDD239688F8FDDD9 |
| SHA-256: | E7E9E2C247BC872BACCE77661C78F001A17D70EE3130A9016A5818DA9DA00CDB |
| SHA-512: | 592AB5B200D4C560951CB70288DC1B7A562F0CBFAEE01CE03076B6934D537B88575C2E1E0FEDCC05DB95E6C224CA739923E7D74F9165E683F3FBAD7BBF641784 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\server.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 55 |
| Entropy (8bit): | 4.474554204780528 |
| Encrypted: | false |
| SSDEEP: | 3:It1KV2PHQCyK0x:e1KAwCyD |
| MD5: | 40B1630BE21F39CB17BD1963CAE5A207 |
| SHA1: | 63C14BD151D42820DD45C033363FA5B9E1D34124 |
| SHA-256: | F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1 |
| SHA-512: | 833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926 |
| Malicious: | true |
| Preview: |
| Process: | C:\Windows\SysWOW64\netsh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 313 |
| Entropy (8bit): | 4.971939296804078 |
| Encrypted: | false |
| SSDEEP: | 6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha |
| MD5: | 689E2126A85BF55121488295EE068FA1 |
| SHA1: | 09BAAA253A49D80C18326DFBCA106551EBF22DD6 |
| SHA-256: | D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25 |
| SHA-512: | C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.549094511461939 |
| TrID: |
|
| File name: | myidJB8lDL.exe |
| File size: | 93'184 bytes |
| MD5: | b83412ee8e4b5e4b96d43ff7832cac8f |
| SHA1: | 40db2bcf274f0968cc8f9c153fb88b13821af357 |
| SHA256: | 446cf6ac1de71c4307ec105d6fa09d48b7fd65f788c1be8fcea56ba097a6d818 |
| SHA512: | 8e189ff517e5613fb7d211e5b7589572b1c42b7c8b65e11935ba67aa89c7e1fac7dbfd09ef242801451b49b859377ce706de96143f1eac6361e84fc157fe643c |
| SSDEEP: | 1536:Sd4XkWOqipj69Qos0n2NDkNskqVR1mpwv:O43qj69QMGqxqVRQw |
| TLSH: | 2F93D74933E15069E2FE8AF3A971B2404FB9F0471742934D49E179BA1A33AD84F44DBB |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ixe.................h..........N.... ........@.. ....................................@................................ |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x41864e |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x657869AD [Tue Dec 12 14:09:49 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x185fc | 0x4f | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1a000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0x16654 | 0x16800 | False | 0.36357421875 | data | 5.581764800393336 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .reloc | 0x1a000 | 0xc | 0x200 | False | 0.044921875 | data | 0.10191042566270775 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 192.168.2.43.69.115.17849736124192814856 12/16/23-14:32:34.069646 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849738124192814856 12/16/23-14:33:07.134713 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849744124192814856 12/16/23-14:35:56.314002 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.157.22049742124192033132 12/16/23-14:34:40.325313 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.157.22049743124192033132 12/16/23-14:35:11.327522 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.157.22049743124192814860 12/16/23-14:35:13.739948 | TCP | 2814860 | ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.115.17849744124192033132 12/16/23-14:35:56.072047 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849736124192033132 12/16/23-14:32:33.827942 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849729124192814856 12/16/23-14:32:00.247681 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849738124192825564 12/16/23-14:33:11.248802 | TCP | 2825564 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849739124192814856 12/16/23-14:33:41.766455 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.157.22049740124192814856 12/16/23-14:34:16.768267 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.115.17849729124192825564 12/16/23-14:32:04.581044 | TCP | 2825564 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849739124192825564 12/16/23-14:33:42.660469 | TCP | 2825564 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.157.22049743124192814856 12/16/23-14:35:11.568835 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.115.17849729124192033132 12/16/23-14:32:00.007016 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849738124192033132 12/16/23-14:33:06.894258 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849739124192033132 12/16/23-14:33:41.525416 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.115.17849738124192814860 12/16/23-14:33:11.248802 | TCP | 2814860 | ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.157.22049742124192814856 12/16/23-14:34:40.567429 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.157.22049741124192814856 12/16/23-14:34:36.971005 | TCP | 2814856 | ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.115.17849729124192814860 12/16/23-14:32:04.581044 | TCP | 2814860 | ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.157.22049741124192033132 12/16/23-14:34:36.729114 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.115.17849739124192814860 12/16/23-14:33:42.660469 | TCP | 2814860 | ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| 192.168.2.43.69.157.22049740124192033132 12/16/23-14:34:16.527045 | TCP | 2033132 | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| 192.168.2.43.69.157.22049743124192825564 12/16/23-14:35:13.739948 | TCP | 2825564 | ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 16, 2023 14:31:59.035231113 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:31:59.275862932 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:31:59.275995016 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:00.007015944 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:00.247627020 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:00.247680902 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:00.488594055 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:04.581043959 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:04.822370052 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:20.026465893 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:20.026551008 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:31.558994055 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:31.559171915 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:33.582874060 CET | 49729 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:33.584408998 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:33.823575974 CET | 12419 | 49729 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:33.826924086 CET | 12419 | 49736 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:33.827033997 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:33.827941895 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:34.069569111 CET | 12419 | 49736 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:34.069645882 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:32:34.311275005 CET | 12419 | 49736 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:49.314373970 CET | 12419 | 49736 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:32:49.314538956 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:04.417042971 CET | 12419 | 49736 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:04.566236019 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:06.119353056 CET | 12419 | 49736 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:06.119787931 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:06.487353086 CET | 49736 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:06.652798891 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:06.893275023 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:06.893388033 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:06.894258022 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:07.134310007 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:07.134712934 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:07.375221968 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:11.248801947 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:11.488835096 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:26.591304064 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:26.591372967 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:39.211601973 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:39.211679935 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:41.269531012 CET | 49738 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:41.283359051 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:41.509959936 CET | 12419 | 49738 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:41.524477005 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:41.524585962 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:41.525415897 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:41.766379118 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:41.766454935 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:42.007452965 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:42.660469055 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:33:42.901652098 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:57.915380955 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:33:57.915451050 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:34:13.158987045 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:34:13.159055948 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:34:13.836472988 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:34:13.836541891 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:34:15.882673979 CET | 49739 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:34:16.123564959 CET | 12419 | 49739 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:34:16.284879923 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:16.525989056 CET | 12419 | 49740 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:16.526078939 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:16.527045012 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:16.768194914 CET | 12419 | 49740 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:16.768266916 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:17.009557962 CET | 12419 | 49740 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:32.010734081 CET | 12419 | 49740 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:32.010790110 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:34.417634010 CET | 12419 | 49740 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:34.566462994 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:36.429744005 CET | 49740 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:36.486466885 CET | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:36.728203058 CET | 12419 | 49741 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:36.728286028 CET | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:36.729114056 CET | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:36.970912933 CET | 12419 | 49741 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:36.971004963 CET | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:37.212752104 CET | 12419 | 49741 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:37.719657898 CET | 12419 | 49741 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:37.719733000 CET | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:39.747711897 CET | 49741 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:39.989487886 CET | 12419 | 49741 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:40.082439899 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:40.324565887 CET | 12419 | 49742 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:40.324650049 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:40.325313091 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:40.567329884 CET | 12419 | 49742 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:40.567429066 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:34:40.809442043 CET | 12419 | 49742 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:55.811029911 CET | 12419 | 49742 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:34:55.811111927 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:09.019859076 CET | 12419 | 49742 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:09.020138025 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:11.059429884 CET | 49742 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:11.085500002 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:11.301548004 CET | 12419 | 49742 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:11.326488018 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:11.326592922 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:11.327522039 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:11.568744898 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:11.568835020 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:11.809950113 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:13.739948034 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:13.980770111 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:29.226701975 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:29.226794004 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:43.617218971 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:43.617324114 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:45.629297018 CET | 49743 | 12419 | 192.168.2.4 | 3.69.157.220 |
| Dec 16, 2023 14:35:45.870225906 CET | 12419 | 49743 | 3.69.157.220 | 192.168.2.4 |
| Dec 16, 2023 14:35:55.828751087 CET | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:35:56.070957899 CET | 12419 | 49744 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:35:56.071086884 CET | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:35:56.072046995 CET | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:35:56.313889980 CET | 12419 | 49744 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:35:56.314002037 CET | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:35:56.555645943 CET | 12419 | 49744 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:36:04.427779913 CET | 12419 | 49744 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:36:04.473119020 CET | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Dec 16, 2023 14:36:16.980392933 CET | 12419 | 49744 | 3.69.115.178 | 192.168.2.4 |
| Dec 16, 2023 14:36:16.980572939 CET | 49744 | 12419 | 192.168.2.4 | 3.69.115.178 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Dec 16, 2023 14:31:58.778795958 CET | 63632 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2023 14:31:59.012172937 CET | 53 | 63632 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2023 14:33:06.488557100 CET | 62579 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2023 14:33:06.631305933 CET | 53 | 62579 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2023 14:34:15.883997917 CET | 51330 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2023 14:34:16.010274887 CET | 53 | 51330 | 1.1.1.1 | 192.168.2.4 |
| Dec 16, 2023 14:35:49.703478098 CET | 59019 | 53 | 192.168.2.4 | 1.1.1.1 |
| Dec 16, 2023 14:35:49.844868898 CET | 53 | 59019 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Dec 16, 2023 14:31:58.778795958 CET | 192.168.2.4 | 1.1.1.1 | 0xb3b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2023 14:33:06.488557100 CET | 192.168.2.4 | 1.1.1.1 | 0x9213 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2023 14:34:15.883997917 CET | 192.168.2.4 | 1.1.1.1 | 0x7f52 | Standard query (0) | A (IP address) | IN (0x0001) | false | |
| Dec 16, 2023 14:35:49.703478098 CET | 192.168.2.4 | 1.1.1.1 | 0x9304 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Dec 16, 2023 14:31:59.012172937 CET | 1.1.1.1 | 192.168.2.4 | 0xb3b | No error (0) | 3.69.115.178 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2023 14:33:06.631305933 CET | 1.1.1.1 | 192.168.2.4 | 0x9213 | No error (0) | 3.69.115.178 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2023 14:34:16.010274887 CET | 1.1.1.1 | 192.168.2.4 | 0x7f52 | No error (0) | 3.69.157.220 | A (IP address) | IN (0x0001) | false | ||
| Dec 16, 2023 14:35:49.844868898 CET | 1.1.1.1 | 192.168.2.4 | 0x9304 | No error (0) | 3.69.115.178 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 14:31:51 |
| Start date: | 16/12/2023 |
| Path: | C:\Users\user\Desktop\myidJB8lDL.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdc0000 |
| File size: | 93'184 bytes |
| MD5 hash: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 14:31:52 |
| Start date: | 16/12/2023 |
| Path: | C:\Users\user\AppData\Local\Temp\server.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x980000 |
| File size: | 93'184 bytes |
| MD5 hash: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
| Target ID: | 2 |
| Start time: | 14:31:54 |
| Start date: | 16/12/2023 |
| Path: | C:\Windows\SysWOW64\netsh.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1560000 |
| File size: | 82'432 bytes |
| MD5 hash: | 4E89A1A088BE715D6C946E55AB07C7DF |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 3 |
| Start time: | 14:31:54 |
| Start date: | 16/12/2023 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 5 |
| Start time: | 14:32:16 |
| Start date: | 16/12/2023 |
| Path: | C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x4e0000 |
| File size: | 93'184 bytes |
| MD5 hash: | B83412EE8E4B5E4B96D43FF7832CAC8F |
| Has elevated privileges: | false |
| Has administrator privileges: | false |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 10.6% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 58 |
| Total number of Limit Nodes: | 4 |
Graph
Callgraph
Function 055A4298 Relevance: 10.7, Strings: 7, Instructions: 1950COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A427D Relevance: 10.5, Strings: 7, Instructions: 1755COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EA9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAB7C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EA61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EA573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EB424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EB446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EA59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EA65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013EAA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A0958 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A3815 Relevance: .5, Instructions: 488COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A39BF Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A3B18 Relevance: .1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A00B8 Relevance: .1, Instructions: 96COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A0118 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013C05E0 Relevance: .0, Instructions: 43COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A0879 Relevance: .0, Instructions: 40COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A00A8 Relevance: .0, Instructions: 39COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013C0606 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A36A8 Relevance: .0, Instructions: 19COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013E23F4 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 013E23BC Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 055A0076 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Execution Graph
| Execution Coverage: | 12.8% |
| Dynamic/Decrypted Code Coverage: | 100% |
| Signature Coverage: | 0% |
| Total number of Nodes: | 52 |
| Total number of Limit Nodes: | 4 |
Graph
Callgraph
Function 0099AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099AB7C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099ADCE Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 0099AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E902C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E937F9 Relevance: .5, Instructions: 495COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E939B7 Relevance: .2, Instructions: 182COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E93B10 Relevance: .1, Instructions: 111COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E900B8 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E90118 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EA05BF Relevance: .0, Instructions: 45COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EA05E0 Relevance: .0, Instructions: 44COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E901E1 Relevance: .0, Instructions: 41COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E900A8 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EA05CF Relevance: .0, Instructions: 37COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00EA0606 Relevance: .0, Instructions: 27COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 00E93010 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 009923F4 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Function 009923BC Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |