Edit tour

Windows Analysis Report
6038732).vbs

Overview

General Information

Sample name:	6038732).vbs renamed because original name is a hash value
Original sample name:	_(PO_46038732).vbs
Analysis ID:	1419946
MD5:	9ccb8c031d05f56b6f480305f2ab46af
SHA1:	46b59f675728e4952912e707ad5c2b53d05bd5bf
SHA256:	679f185b79a90236b1d85ef1fc7716dab2784ef51e0d3a0e36b9f0772aa6bb32
Tags:	vbs
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected Lokibot

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Potential malicious VBS script found (has network functionality)

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: AspNetCompiler Execution

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6852 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

x.exe (PID: 5728 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 86428E9EEC10E20491350EBEF66CF118)

aspnet_compiler.exe (PID: 2760 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://bertol-metal.site/PWS/fre.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x530f4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x404a7:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x4eceb:$des3: 68 03 66 00 00 0x530f4:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x531c0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17690:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4a5b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1329f:$des3: 68 03 66 00 00 0x17690:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1775c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: x.exe PID: 5728	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: x.exe PID: 5728	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: x.exe PID: 5728	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xd20fb:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x13e3cc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: aspnet_compiler.exe PID: 2760	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2760	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 2760	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1dfc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.x.exe.40fd2a0.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.x.exe.40fd2a0.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.x.exe.40fd2a0.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.x.exe.40fd2a0.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
2.2.x.exe.40fd2a0.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.x.exe.30c98dc.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.x.exe.30c98dc.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.x.exe.30c98dc.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.x.exe.30c98dc.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1a818:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.x.exe.30c98dc.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7bcb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.x.exe.30c98dc.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x171dc:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x17424:$a2: last_compatible_version
2.2.x.exe.30c98dc.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1640f:$des3: 68 03 66 00 00 0x1a818:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1a8e4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.x.exe.30c98dc.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x1995e:$f1: FileZilla\recentservers.xml 0x1999e:$f2: FileZilla\sitemanager.xml 0x17c0e:$b2: Mozilla\Firefox\Profiles 0x17978:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x17b22:$s4: logins.json 0x189cc:$s6: wand.dat 0x1744c:$a1: username_value 0x1743c:$a2: password_value 0x17a87:$a3: encryptedUsername 0x17af4:$a3: encryptedUsername 0x17a9a:$a4: encryptedPassword 0x17b08:$a4: encryptedPassword
2.2.x.exe.40fd2a0.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.x.exe.40fd2a0.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.x.exe.40fd2a0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.x.exe.40fd2a0.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.x.exe.40fd2a0.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.x.exe.40fd2a0.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.x.exe.40fd2a0.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.x.exe.40fd2a0.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
3.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.aspnet_compiler.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
3.2.aspnet_compiler.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
3.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.aspnet_compiler.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
3.2.aspnet_compiler.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.aspnet_compiler.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 32 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs", ProcessId: 6852, ProcessName: wscript.exe

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 5728, ParentProcessName: x.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 2760, ProcessName: aspnet_compiler.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs", ProcessId: 6852, ProcessName: wscript.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.win/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.trade/alien/fre.php	URL Reputation: Label: malware
Source: http://alphastand.top/alien/fre.php	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Avira: detection malicious, Label: HEUR/AGEN.1323805

Found malware configuration

Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://bertol-metal.site/PWS/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\x.exe	Virustotal: Detection: 33%			Perma Link

Multi AV Scanner detection for submitted file

Source: 6038732).vbs

Virustotal: Detection: 13%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe

Joe Sandbox ML: detected

Source:	Binary string: March_PO.pdbXA source: wscript.exe, 00000000.00000003.2142335097.00000286E2164000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2147261887.00000286E3106000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141170460.00000286E2DF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2146556146.00000286E2810000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000000.2140926311.0000000000CB2000.00000002.00000001.01000000.00000006.sdmp, x.exe.0.dr
Source:	Binary string: March_PO.pdb source: wscript.exe, 00000000.00000003.2142335097.00000286E2164000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2147261887.00000286E3106000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141170460.00000286E2DF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2146556146.00000286E2810000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000000.2140926311.0000000000CB2000.00000002.00000001.01000000.00000006.sdmp, x.exe.0.dr
Source:	Binary string: BATMAN.pdbxD source: x.exe, 00000002.00000002.2146973436.0000000005580000.00000004.08000000.00040000.00000000.sdmp, x.exe, 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: 31437F.exe.3.dr
Source:	Binary string: BATMAN.pdb source: x.exe, 00000002.00000002.2146973436.0000000005580000.00000004.08000000.00040000.00000000.sdmp, x.exe, 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_00403D74 FindFirstFileW,

3_2_00403D74

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02F1285C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02F145F0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02F145E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02F149C0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02F149B4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02F13D1D

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: https://bertol-metal.site/PWS/fre.php

Potential malicious VBS script found (has network functionality)

Source:

Initial file: obj3.SaveToFile obj4.BuildPath(obj5, "x.exe"), 2

Source: unknown

DNS traffic detected: query: bertol-metal.site replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_00404ED4 recv,

3_2_00404ED4

Source: unknown

DNS traffic detected: queries for: bertol-metal.site

Source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp

String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: x.exe PID: 5728, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 2760, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_02F112D8	2_2_02F112D8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_02F112C9	2_2_02F112C9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_02F15A38	2_2_02F15A38
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_02F15C81	2_2_02F15C81
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_02F15C43	2_2_02F15C43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0040549C	3_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_004029D4	3_2_004029D4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00405B6F appears 42 times

Source: 6038732).vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: x.exe PID: 5728, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 2760, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: x.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: x.exe.0.dr, TQu9uYZqjckwZJ3vo0.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, TQu9uYZqjckwZJ3vo0.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winVBS@5/5@26/0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

3_2_0040434D

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Mutant created: NULL

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\x.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 6038732).vbs

Virustotal: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: March_PO.pdbXA source: wscript.exe, 00000000.00000003.2142335097.00000286E2164000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2147261887.00000286E3106000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141170460.00000286E2DF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2146556146.00000286E2810000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000000.2140926311.0000000000CB2000.00000002.00000001.01000000.00000006.sdmp, x.exe.0.dr
Source:	Binary string: March_PO.pdb source: wscript.exe, 00000000.00000003.2142335097.00000286E2164000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2147261887.00000286E3106000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2141170460.00000286E2DF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2146556146.00000286E2810000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000002.00000000.2140926311.0000000000CB2000.00000002.00000001.01000000.00000006.sdmp, x.exe.0.dr
Source:	Binary string: BATMAN.pdbxD source: x.exe, 00000002.00000002.2146973436.0000000005580000.00000004.08000000.00040000.00000000.sdmp, x.exe, 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: 31437F.exe.3.dr
Source:	Binary string: BATMAN.pdb source: x.exe, 00000002.00000002.2146973436.0000000005580000.00000004.08000000.00040000.00000000.sdmp, x.exe, 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\x.exe");

.NET source code contains potential unpacker

Source: x.exe.0.dr, cnXxnsKdSMBfecO5Dq.cs	.Net Code: dyfPQu9uY System.Reflection.Assembly.Load(byte[])
Source: x.exe.0.dr, p7Z4bI6upEkiMwFWOe.cs	.Net Code: p7Z64bIup System.Reflection.Assembly.Load(byte[])
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, cnXxnsKdSMBfecO5Dq.cs	.Net Code: dyfPQu9uY System.Reflection.Assembly.Load(byte[])
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, p7Z4bI6upEkiMwFWOe.cs	.Net Code: p7Z64bIup System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 2.2.x.exe.40fd2a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 2760, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 2_2_02F16817 push eax; iretd	2_2_02F1681D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AFC

Source: x.exe.0.dr

Static PE information: section name: .text entropy: 7.687058615335892

Source: x.exe.0.dr, pokF6E8QiVgoyWmgli.cs	High entropy of concatenated method names: 'VcRYM2Tul', 'RL306O7Hx', 'OQQNsddhI', 'AWHE0M7pN', 'sBTeA3fNy', 'yhfc51XlAK1e28gIRo', 'VRXu2XfJiWRHc5y1tc', 'vfBPhP7De2khupuCdR', 'B30opfWFCfkRYHpOUH', 'vsNDYqgCPpAShPOCon'
Source: x.exe.0.dr, cnXxnsKdSMBfecO5Dq.cs	High entropy of concatenated method names: 'S5Co562Mm', 'dyfPQu9uY', 'CjcdkwZJ3', 'So0XVyODQ', 'LL2JMxtoCsZ0rXae4j', 'itNpoHrMQOa6CHWhjv', 'RFyPVlP25TbL1t0vAx', 'ymELYYmWp4lm75EYJy', 'C51qhDKlsnW26ucsmC'
Source: x.exe.0.dr, ursq9XwW5VrKV7cRM2.cs	High entropy of concatenated method names: 'QbDMJcw50vt974haecp', 'nhe2HkwiIMUOLNm73Fb', 'H1ELw8f5L', 'sopCKD3Ut', 'k4m3VqoJG', 'jG9Q7mXd9', 'T1CvpGtNt', 'S6sVZDIi7', 'ef8f6WhTl', 'iPqHvs6aT'
Source: x.exe.0.dr, p7Z4bI6upEkiMwFWOe.cs	High entropy of concatenated method names: 'p7Z64bIup', 'AkipMwFWO', 'AU1S1VMUo', 'jj2cKNRYR', 'qRAaXURMjSOT2eRSKT', 'noGtjAQvFemSTJVGpq', 'sZMRuOs5m8e1gqS6QK', 'Ssk6fXYAWUV4n8cJW8', 'TC0pPl4sF8xcfKZCs0', 'jlr80tTviDJDxEKSa9'
Source: x.exe.0.dr, Form1.cs	High entropy of concatenated method names: 'Dispose', 'S7lKQWBcg', 'zypwrD66v458RbShBs', 'F52ohqAAiwULb9FLDc', 'v6J4XxlCproaK1iJIt', 'C8E6b7S0UAnLqEvdTx', 'cEbdT0ZZo9VmXHV9MM', 'k9MFjUHUM7yMg1PjnA', 'ajqOrOFNmi0numsETc', 'NFsoJtVJQSid4X1Yrf'
Source: x.exe.0.dr, TQu9uYZqjckwZJ3vo0.cs	High entropy of concatenated method names: 'SQ5UH35HE', 'FjDR6xrcH', 'j3HF4WnFG', 'clLkBH8Cg', 'nVGswmRCb', 'gYxwb0wusxj0SL9r3G9', 'qMkCyev4esGXNqaYIw', 'vHUKfSzOmWMsMVYKnD', 'Wp2IMKwwVk0d8F78JYG', 'oF9UZowb9MPNvQS3aMd'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, pokF6E8QiVgoyWmgli.cs	High entropy of concatenated method names: 'VcRYM2Tul', 'RL306O7Hx', 'OQQNsddhI', 'AWHE0M7pN', 'sBTeA3fNy', 'yhfc51XlAK1e28gIRo', 'VRXu2XfJiWRHc5y1tc', 'vfBPhP7De2khupuCdR', 'B30opfWFCfkRYHpOUH', 'vsNDYqgCPpAShPOCon'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, cnXxnsKdSMBfecO5Dq.cs	High entropy of concatenated method names: 'S5Co562Mm', 'dyfPQu9uY', 'CjcdkwZJ3', 'So0XVyODQ', 'LL2JMxtoCsZ0rXae4j', 'itNpoHrMQOa6CHWhjv', 'RFyPVlP25TbL1t0vAx', 'ymELYYmWp4lm75EYJy', 'C51qhDKlsnW26ucsmC'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, ursq9XwW5VrKV7cRM2.cs	High entropy of concatenated method names: 'QbDMJcw50vt974haecp', 'nhe2HkwiIMUOLNm73Fb', 'H1ELw8f5L', 'sopCKD3Ut', 'k4m3VqoJG', 'jG9Q7mXd9', 'T1CvpGtNt', 'S6sVZDIi7', 'ef8f6WhTl', 'iPqHvs6aT'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, p7Z4bI6upEkiMwFWOe.cs	High entropy of concatenated method names: 'p7Z64bIup', 'AkipMwFWO', 'AU1S1VMUo', 'jj2cKNRYR', 'qRAaXURMjSOT2eRSKT', 'noGtjAQvFemSTJVGpq', 'sZMRuOs5m8e1gqS6QK', 'Ssk6fXYAWUV4n8cJW8', 'TC0pPl4sF8xcfKZCs0', 'jlr80tTviDJDxEKSa9'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, Form1.cs	High entropy of concatenated method names: 'Dispose', 'S7lKQWBcg', 'zypwrD66v458RbShBs', 'F52ohqAAiwULb9FLDc', 'v6J4XxlCproaK1iJIt', 'C8E6b7S0UAnLqEvdTx', 'cEbdT0ZZo9VmXHV9MM', 'k9MFjUHUM7yMg1PjnA', 'ajqOrOFNmi0numsETc', 'NFsoJtVJQSid4X1Yrf'
Source: 0.2.wscript.exe.286e28990e0.1.raw.unpack, TQu9uYZqjckwZJ3vo0.cs	High entropy of concatenated method names: 'SQ5UH35HE', 'FjDR6xrcH', 'j3HF4WnFG', 'clLkBH8Cg', 'nVGswmRCb', 'gYxwb0wusxj0SL9r3G9', 'qMkCyev4esGXNqaYIw', 'vHUKfSzOmWMsMVYKnD', 'Wp2IMKwwVk0d8F78JYG', 'oF9UZowb9MPNvQS3aMd'

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe			Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Window / User API: threadDelayed 989

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe TID: 2056	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1936	Thread sleep count: 989 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1936	Thread sleep time: -59340000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_00403D74 FindFirstFileW,

3_2_00403D74

Source: C:\Users\user\AppData\Local\Temp\x.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: x.exe, 00000002.00000002.2146095944.00000000042D2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `hGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKg
Source: x.exe, 00000002.00000002.2146095944.000000000431B000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2146095944.0000000004363000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKg
Source: x.exe, 00000002.00000002.2146095944.000000000413A000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2146095944.000000000420F000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2146095944.0000000004271000.00000004.00000800.00020000.00000000.sdmp, x.exe, 00000002.00000002.2146095944.00000000041B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `hGfs79njrfh4rlW/g/ELQPl2byr
Source: x.exe, 00000002.00000002.2146095944.00000000040B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %vL+o+HIpxflaQUFdyuioERPAot/W4EM5/xTa5gjxAAAAAGFXntLKgBbAfHB9ThGfs79njrfh4rlW/g/ELQPl2byrAAAAAGFXntLKgBbAvotC0B06uz5XPhM/Q42Rw/ZmRbohjLNQAAAAAGFXntLKgBbA55VlonSSerVyzUKNGzyf6daF/3B3nIS/AAAAAEz4eZtavaLAAAAAADd5O
Source: aspnet_compiler.exe, 00000003.00000002.3419197360.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 2_2_02F147E8 CheckRemoteDebuggerPresent,

2_2_02F147E8

Source: C:\Users\user\AppData\Local\Temp\x.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]

3_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,

3_2_00402B7C

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\System32\wscript.exe

File created: x.exe.0.dr

Jump to dropped file

.NET source code references suspicious native API functions

Source: 2.2.x.exe.30c98dc.1.raw.unpack, BATMAN.cs	Reference to suspicious API methods: WriteProcessMemory_API(processInformation.HasanHandle, num9 + 8, bytes, 4, ref bytesWritten)
Source: 2.2.x.exe.30c98dc.1.raw.unpack, BATMAN.cs	Reference to suspicious API methods: ReadProcessMemory_API(processInformation.HasanHandle, num9 + 8, ref buffer, 4, ref bytesWritten)
Source: 2.2.x.exe.30c98dc.1.raw.unpack, BATMAN.cs	Reference to suspicious API methods: VirtualAllocEx_API(processInformation.HasanHandle, 0, length, 12288, 64)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 415000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4A0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 9ED008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"			Jump to behavior

Source: x.exe, 00000002.00000002.2145896824.0000000003104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: x.exe, 00000002.00000002.2145896824.0000000003104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: x.exe, 00000002.00000002.2145896824.0000000003104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndt-
Source: x.exe, 00000002.00000002.2145896824.0000000003104000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progmant-

Source: C:\Users\user\AppData\Local\Temp\x.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\x.exe VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: x.exe PID: 5728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 2760, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: PopPassword		3_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: SmtpPassword		3_2_0040D069

Source: Yara match	File source: 2.2.x.exe.30c98dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.x.exe.40fd2a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Native API	221 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	312 Process Injection	11 Deobfuscate/Decode Files or Information	2 Credentials in Registry	13 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	5 Obfuscated Files or Information	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6038732).vbs	5%	ReversingLabs	Win32.Dropper.Generic
6038732).vbs	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\x.exe	100%	Avira	HEUR/AGEN.1323805
C:\Users\user\AppData\Local\Temp\x.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\x.exe	38%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\x.exe	33%	Virustotal		Browse
C:\Users\user\AppData\Roaming\188E93\31437F.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\188E93\31437F.exe	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bertol-metal.site	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	100%	URL Reputation	malware
http://alphastand.win/alien/fre.php	100%	URL Reputation	malware
http://alphastand.trade/alien/fre.php	100%	URL Reputation	malware
http://alphastand.top/alien/fre.php	100%	URL Reputation	malware
http://www.ibsensoftware.com/	0%	URL Reputation	safe
https://bertol-metal.site/PWS/fre.php	0%	Avira URL Cloud	safe
https://bertol-metal.site/PWS/fre.php	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bertol-metal.site	unknown	unknown	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bertol-metal.site/PWS/fre.php	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: malware	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1419946
Start date and time:	2024-04-04 08:58:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	6038732).vbs renamed because original name is a hash value
Original Sample Name:	_(PO_46038732).vbs
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winVBS@5/5@26/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:59:10	API Interceptor	991x Sleep call for process: aspnet_compiler.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\188E93\31437F.exe	cirby0J3LP.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm, zgRAT	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	3vj5tYFb6a.exe	Get hash	malicious	Snake Keylogger, zgRAT	Browse
	50000PCSPIC12F1501-ESN.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe	Get hash	malicious	XWorm	Browse
	Jdxvyx.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe	Get hash	malicious	AgentTesla	Browse
	shipping_doc_62085317440.exe	Get hash	malicious	AgentTesla	Browse
	PRE-ALERT_IOF23-24JPR1298.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\x.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Temp\x.exe

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	210432
Entropy (8bit):	6.700241503730802
Encrypted:	false
SSDEEP:	3072:jZhf3Iz6k/gNaJ5QAyem7w8yCgWLUmwrQoGiWorQCFC7ZeJAd4:jX3I6aOs5Q2m7RFgWLUSoGarQfkJA
MD5:	86428E9EEC10E20491350EBEF66CF118
SHA1:	72BBC88F3099E66557D571838DD98AA74C103B61
SHA-256:	0130D1816F3720AED33AE563B0A561C9EA27E24DFEA4DD5501C853DA02C4B851
SHA-512:	14F15F8115697E40C14F94B46D59FCB68AC751F200CF3AD0CA62999641DB481EF7F085F0BD54D0E26BAFF107F05E6AE6DE8D073392DD8A1D8808A6C83B40387A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38% Antivirus: Virustotal, Detection: 33%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...? .f..............0.."..........~A... ...`....@.. ....................................`.................................0A..K....`...............................@............................................... ............... ..H............text....!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............4..............@..B................`A......H.......TZ..xB.............6...........................................^(....8.....((...8.....&~..........~....*..0..........8t.......E....i...........8d.....(M... .l..(M...%& .l..(M...(....%& .l..(M...%& .l..(M...%&o.... .l..(M...%& .l..(M...%&o....%& .l..(M... .l..(M...%&o....%& .l..(M...%& .l..(M...%&o....(....%&..8.... .l..(M...%&.. ....(....:%...& ....8....(....%&(...... ....(....9....& ....8.....(?...(....%&%.(?......%.(?...~.....%..(?......%..(?.....(?........... ..

C:\Users\user\AppData\Roaming\188E93\31437F.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	56368
Entropy (8bit):	6.120994357619221
Encrypted:	false
SSDEEP:	768:fF9E8FLLs2Zokf85d9PTV6Iq8Fnqf7P+WxqWKnz8DH:ffE6EkfOd9PT86dWvKgb
MD5:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
SHA1:	19DFD86294C4A525BA21C6AF77681B2A9BBECB55
SHA-256:	99A2C778C9A6486639D0AFF1A7D2D494C2B0DC4C7913EBCB7BFEA50A2F1D0B09
SHA-512:	94F0ACE37CAE77BE9935CF4FC8AAA94691343D3B38DE5E16C663B902C220BFF513CD02256C7AF2D815A23DD30439582DDBB0880009C76BBF36FF8FBC1A6DDC18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: cirby0J3LP.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.CrypterX-gen.12642.14495.exe, Detection: malicious, Browse Filename: 3vj5tYFb6a.exe, Detection: malicious, Browse Filename: 50000PCSPIC12F1501-ESN.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.KeyloggerX-gen.6339.24340.exe, Detection: malicious, Browse Filename: Jdxvyx.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.11530.1442.exe, Detection: malicious, Browse Filename: shipping_doc_62085317440.exe, Detection: malicious, Browse Filename: PRE-ALERT_IOF23-24JPR1298.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A>.]..............0................. ........@.. ....................................`.................................t...O.......................0B..........<................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......t3..pc.............X...<........................................0..........s.....Y.....(.....Z.....&..(......+....(....o......r...p(....-..r...p(....,.....X....i2..-;(....(..........%.r!..p.(....(....((...(....(....(....( .....-.(7...(......(....-...~S...-.~R....S...s!.....~W...o"....~U...o#....~V...o$....o%...~Y...o&...~S...~Q...~T....s'....P...~P...sE...o(............~W....@_,s.....()...r7..p.$(*........o+..........o,....2....... ....37(....(8.........%...o-....

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	884BB48A55DA67B4812805CB8905277D
SHA1:	6B3D33E00F5B9DEAE2826F80644CB4F6E78B7401
SHA-256:	78877FA898F0B4C45C9C33AE941E40617AD7C8657A307DB62BC5691F92F4F60E
SHA-512:	989A38778FC961EB2C79E70621EABFB4B22D6537F08A71359B27AF495646E304EE252A523769F66B75BC2FAF546ACB22A71B358B51221174AC0D964DA7A62821
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.................................................

Static File Info

General

File type:	ASCII text, with very long lines (65294), with CRLF line terminators
Entropy (8bit):	5.370097670545895
TrID:
File name:	6038732).vbs
File size:	326'759 bytes
MD5:	9ccb8c031d05f56b6f480305f2ab46af
SHA1:	46b59f675728e4952912e707ad5c2b53d05bd5bf
SHA256:	679f185b79a90236b1d85ef1fc7716dab2784ef51e0d3a0e36b9f0772aa6bb32
SHA512:	e770c40e9853a2f5e12df60ec6322251c2161632d9fe877b6b27cc2484ddb05ee994ac87746528078ce4f3099c67c354e5ae58305c678d48d5bd323f41a76fe2
SSDEEP:	3072:CVyjR8xVe3LPd80Cn4oCpE6v3bwis9Tx5ivFeV/QO+uS7IB3WXvN20ZRw19qLQUW:/vNDbwh7yqQrcBsl2L19EQaQGSm1WD
TLSH:	6E64F5B36E321DE11CE688834EC32EE55A502CDB4251567279F9B58C233E0E215F9EED
File Content Preview:	Dim x, y, z..x = "MSXML2.DOMDocument"..y = "text"..z = "bin.base64"....Set obj1 = CreateObject(x)..Set obj2 = obj1.createElement(y)..obj2.DataType = z....' Replace "yourbase64strjbg" with your actual base64 encoded content..Dim base64String..base64String

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2024 08:59:11.595223904 CEST	64341	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:11.723458052 CEST	53	64341	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:16.264236927 CEST	59187	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:16.392632008 CEST	53	59187	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:21.396836996 CEST	56620	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:21.524950981 CEST	53	56620	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:26.272829056 CEST	56457	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:26.400492907 CEST	53	56457	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:31.320167065 CEST	55668	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:31.445250988 CEST	53	55668	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:36.293565989 CEST	53498	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:36.421109915 CEST	53	53498	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:41.708070040 CEST	61267	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:41.836364985 CEST	53	61267	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:46.364387035 CEST	53563	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:46.489454985 CEST	53	53563	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:51.347932100 CEST	52425	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:51.475878954 CEST	53	52425	1.1.1.1	192.168.2.6
Apr 4, 2024 08:59:56.379745007 CEST	60890	53	192.168.2.6	1.1.1.1
Apr 4, 2024 08:59:56.505444050 CEST	53	60890	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:01.319024086 CEST	63367	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:01.446587086 CEST	53	63367	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:06.289778948 CEST	60937	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:06.417781115 CEST	53	60937	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:11.301804066 CEST	54851	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:11.427706003 CEST	53	54851	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:16.256481886 CEST	57198	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:16.385822058 CEST	53	57198	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:21.332794905 CEST	52571	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:21.457876921 CEST	53	52571	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:26.286606073 CEST	65457	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:26.412065983 CEST	53	65457	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:31.745275974 CEST	60491	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:31.872632980 CEST	53	60491	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:36.256928921 CEST	53461	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:36.382585049 CEST	53	53461	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:41.272965908 CEST	57906	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:41.400171041 CEST	53	57906	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:46.327703953 CEST	54925	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:46.453105927 CEST	53	54925	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:51.306715965 CEST	61037	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:51.433093071 CEST	53	61037	1.1.1.1	192.168.2.6
Apr 4, 2024 09:00:56.265233994 CEST	65421	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:00:56.392962933 CEST	53	65421	1.1.1.1	192.168.2.6
Apr 4, 2024 09:01:01.271718979 CEST	60351	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:01:01.399383068 CEST	53	60351	1.1.1.1	192.168.2.6
Apr 4, 2024 09:01:06.249789953 CEST	60789	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:01:06.375431061 CEST	53	60789	1.1.1.1	192.168.2.6
Apr 4, 2024 09:01:11.287098885 CEST	49397	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:01:11.412417889 CEST	53	49397	1.1.1.1	192.168.2.6
Apr 4, 2024 09:01:16.288484097 CEST	51968	53	192.168.2.6	1.1.1.1
Apr 4, 2024 09:01:16.413330078 CEST	53	51968	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 4, 2024 08:59:11.595223904 CEST	192.168.2.6	1.1.1.1	0x8afa	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:16.264236927 CEST	192.168.2.6	1.1.1.1	0x4f9f	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:21.396836996 CEST	192.168.2.6	1.1.1.1	0xa8a5	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:26.272829056 CEST	192.168.2.6	1.1.1.1	0x8fa1	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:31.320167065 CEST	192.168.2.6	1.1.1.1	0x9562	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:36.293565989 CEST	192.168.2.6	1.1.1.1	0xa402	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:41.708070040 CEST	192.168.2.6	1.1.1.1	0xea69	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:46.364387035 CEST	192.168.2.6	1.1.1.1	0x9ee4	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:51.347932100 CEST	192.168.2.6	1.1.1.1	0x7c23	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:56.379745007 CEST	192.168.2.6	1.1.1.1	0xe8d3	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:01.319024086 CEST	192.168.2.6	1.1.1.1	0x5cfb	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:06.289778948 CEST	192.168.2.6	1.1.1.1	0xd9d1	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:11.301804066 CEST	192.168.2.6	1.1.1.1	0xafd1	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:16.256481886 CEST	192.168.2.6	1.1.1.1	0xe9a	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:21.332794905 CEST	192.168.2.6	1.1.1.1	0x4c45	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:26.286606073 CEST	192.168.2.6	1.1.1.1	0x59d2	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:31.745275974 CEST	192.168.2.6	1.1.1.1	0x3ffa	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:36.256928921 CEST	192.168.2.6	1.1.1.1	0x683b	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:41.272965908 CEST	192.168.2.6	1.1.1.1	0x3ff6	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:46.327703953 CEST	192.168.2.6	1.1.1.1	0xa8a5	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:51.306715965 CEST	192.168.2.6	1.1.1.1	0xb789	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:56.265233994 CEST	192.168.2.6	1.1.1.1	0x9b9d	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:01.271718979 CEST	192.168.2.6	1.1.1.1	0x9db2	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:06.249789953 CEST	192.168.2.6	1.1.1.1	0x4ce5	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:11.287098885 CEST	192.168.2.6	1.1.1.1	0x6b81	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:16.288484097 CEST	192.168.2.6	1.1.1.1	0xe609	Standard query (0)	bertol-metal.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 4, 2024 08:59:11.723458052 CEST	1.1.1.1	192.168.2.6	0x8afa	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:16.392632008 CEST	1.1.1.1	192.168.2.6	0x4f9f	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:21.524950981 CEST	1.1.1.1	192.168.2.6	0xa8a5	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:26.400492907 CEST	1.1.1.1	192.168.2.6	0x8fa1	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:31.445250988 CEST	1.1.1.1	192.168.2.6	0x9562	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:36.421109915 CEST	1.1.1.1	192.168.2.6	0xa402	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:41.836364985 CEST	1.1.1.1	192.168.2.6	0xea69	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:46.489454985 CEST	1.1.1.1	192.168.2.6	0x9ee4	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:51.475878954 CEST	1.1.1.1	192.168.2.6	0x7c23	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 08:59:56.505444050 CEST	1.1.1.1	192.168.2.6	0xe8d3	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:01.446587086 CEST	1.1.1.1	192.168.2.6	0x5cfb	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:06.417781115 CEST	1.1.1.1	192.168.2.6	0xd9d1	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:11.427706003 CEST	1.1.1.1	192.168.2.6	0xafd1	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:16.385822058 CEST	1.1.1.1	192.168.2.6	0xe9a	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:21.457876921 CEST	1.1.1.1	192.168.2.6	0x4c45	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:26.412065983 CEST	1.1.1.1	192.168.2.6	0x59d2	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:31.872632980 CEST	1.1.1.1	192.168.2.6	0x3ffa	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:36.382585049 CEST	1.1.1.1	192.168.2.6	0x683b	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:41.400171041 CEST	1.1.1.1	192.168.2.6	0x3ff6	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:46.453105927 CEST	1.1.1.1	192.168.2.6	0xa8a5	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:51.433093071 CEST	1.1.1.1	192.168.2.6	0xb789	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:00:56.392962933 CEST	1.1.1.1	192.168.2.6	0x9b9d	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:01.399383068 CEST	1.1.1.1	192.168.2.6	0x9db2	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:06.375431061 CEST	1.1.1.1	192.168.2.6	0x4ce5	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:11.412417889 CEST	1.1.1.1	192.168.2.6	0x6b81	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false
Apr 4, 2024 09:01:16.413330078 CEST	1.1.1.1	192.168.2.6	0xe609	Name error (3)	bertol-metal.site	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:59:06
Start date:	04/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\6038732).vbs"
Imagebase:	0x7ff649820000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:59:08
Start date:	04/04/2024
Path:	C:\Users\user\AppData\Local\Temp\x.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\x.exe"
Imagebase:	0xcb0000
File size:	210'432 bytes
MD5 hash:	86428E9EEC10E20491350EBEF66CF118
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.2145896824.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.2146095944.00000000040FD000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs Detection: 33%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:59:09
Start date:	04/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x620000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	26%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.2%
Total number of Nodes:	72
Total number of Limit Nodes:	2

Executed Functions

Function 02F147E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02F14876

Strings

eD , xrefs: 02F14807

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: eD
API String ID: 3662101638-3392709236
Opcode ID: 794cdfc1f14d57cc6e485f312fc853ec5fb39a3b0ad303a3f1d48e29d2d82966
Instruction ID: 8b8b963fb04521f57a4800f41bfc50620ebf12dde1824e52d75ca5ea56bcfd8e
Opcode Fuzzy Hash: 794cdfc1f14d57cc6e485f312fc853ec5fb39a3b0ad303a3f1d48e29d2d82966
Instruction Fuzzy Hash: 0E31A9B5D012599FDB10CFAAD980ADEFBF5FB49320F20942AE914B7200C775A945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 02F13D1D Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

eD , xrefs: 02F13D7D
eD , xrefs: 02F13D5A

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID: eD $eD
API String ID: 0-423000286
Opcode ID: 401a6df626c677fb9441c8637e58711d189e5d32adcb37581cb97759751b6941
Instruction ID: 089c0fe03af895b5fde4a002f2d44f28f045f22cd2bfb06bc5e2a80e5e8e8eb6
Opcode Fuzzy Hash: 401a6df626c677fb9441c8637e58711d189e5d32adcb37581cb97759751b6941
Instruction Fuzzy Hash: 60510FB1E003199FDB14CFA8C984BDEBBF1BB49304F10916AE515BB290DB759849CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02F1285C Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

eD , xrefs: 02F13D7D
eD , xrefs: 02F13D5A

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID: eD $eD
API String ID: 0-423000286
Opcode ID: 7e569a6d87279e46ccbccf342f197bbcc50515d3a894efc2a94687f12d73942a
Instruction ID: 0debba14f7a209ef58c067ee71ab9b0ef5cfa82c4fdc54b766ba73e268bb64df
Opcode Fuzzy Hash: 7e569a6d87279e46ccbccf342f197bbcc50515d3a894efc2a94687f12d73942a
Instruction Fuzzy Hash: 31510FB0E003199FDB14CFA9C984B9EBBF1BB49304F10916AE915BB390DB759849CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02F17175 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02F1735F

Strings

eD , xrefs: 02F171C1

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: CreateProcess
String ID: eD
API String ID: 963392458-3392709236
Opcode ID: 07ce368d9cd70ad373dbedb6960300dac11bf4d56ac3958bb913dccd6132a75e
Instruction ID: 11f2cce5e651f9708f2c555158821cbf288dd0dce70eb38e6b8b4b9dafa618d4
Opcode Fuzzy Hash: 07ce368d9cd70ad373dbedb6960300dac11bf4d56ac3958bb913dccd6132a75e
Instruction Fuzzy Hash: 2681BE74D00269DFDB25CFA9D980BDEBBF1AB49304F0094AAE548B7220DB709A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02F17180 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02F1735F

Strings

eD , xrefs: 02F171C1

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: CreateProcess
String ID: eD
API String ID: 963392458-3392709236
Opcode ID: a498755b6f42ad934ffeb061d91b421e05ef0a3c2de5c09a77354df6fe931ba9
Instruction ID: f2c5ccd70df1f55665abe8dcf19b445a993bdc10fd21d40efac4aefad899caa3
Opcode Fuzzy Hash: a498755b6f42ad934ffeb061d91b421e05ef0a3c2de5c09a77354df6fe931ba9
Instruction Fuzzy Hash: E281AE74D0026DDFDB25CFA9C980BDEBBF1AB49304F0094AAE548B7220DB749A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02F177E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02F178B6

Strings

eD , xrefs: 02F1780D

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: eD
API String ID: 3559483778-3392709236
Opcode ID: 4d8fb52548198fd647b4a84cad0bb0c1fb76f5d7f49170d45c8dbd1d37a31ce6
Instruction ID: a2b428e2887776227b751701722650f1ca3eb9c8e353ee284b82140347d7335f
Opcode Fuzzy Hash: 4d8fb52548198fd647b4a84cad0bb0c1fb76f5d7f49170d45c8dbd1d37a31ce6
Instruction Fuzzy Hash: 884178B5D002589FDB10CFA9D984AEEFBF1BB49314F24902AE918B7210D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F177E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02F178B6

Strings

eD , xrefs: 02F1780D

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: eD
API String ID: 3559483778-3392709236
Opcode ID: a45a3b8913f97e6f4327f1caab4cef8af0cfd3346f0089ffc40f3abdb1825d44
Instruction ID: 255590b14727cfc572da53d82131f057a179c2f6e0478d192aa60d414b793f0a
Opcode Fuzzy Hash: a45a3b8913f97e6f4327f1caab4cef8af0cfd3346f0089ffc40f3abdb1825d44
Instruction Fuzzy Hash: 204188B5D002589FDF00CFA9D984AEEFBF1BB49314F24902AE918B7210D375AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F175C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02F17675

Strings

eD , xrefs: 02F175ED

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: MemoryProcessRead
String ID: eD
API String ID: 1726664587-3392709236
Opcode ID: 2bda1047136000e1cd4606c0de33c4dc353973a23e0b9f6987f763d37af56e97
Instruction ID: b4309c8aeb0b4750e690c7635e72393909545e70f9353de45cbfcf8e03705895
Opcode Fuzzy Hash: 2bda1047136000e1cd4606c0de33c4dc353973a23e0b9f6987f763d37af56e97
Instruction Fuzzy Hash: 984178B9D04258DFCF10CFAAD984ADEFBB1BB49310F14906AE918B7210D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F175C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02F17675

Strings

eD , xrefs: 02F175ED

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: MemoryProcessRead
String ID: eD
API String ID: 1726664587-3392709236
Opcode ID: b3e42d0e3916eb147f71c878b362ad33e11d25548bb140b8563a038a0e84c14a
Instruction ID: 4879710bf17d5119e05c1fb2aa81b878f0a8d92425c411a1913ac62d0568c489
Opcode Fuzzy Hash: b3e42d0e3916eb147f71c878b362ad33e11d25548bb140b8563a038a0e84c14a
Instruction Fuzzy Hash: FC3168B9D04258DFCF10CFAAD984ADEFBB5BB09310F10906AE918B7210D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F176D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02F17785

Strings

eD , xrefs: 02F176FD

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: AllocVirtual
String ID: eD
API String ID: 4275171209-3392709236
Opcode ID: 929871ee12d851ac7a91df78547c8550e25a74161959e8b6869c1d9fc2467afc
Instruction ID: b0cb718065a58402e02e02db6bfb4c6d101f9abbf96efb932df7f2c3d58a6735
Opcode Fuzzy Hash: 929871ee12d851ac7a91df78547c8550e25a74161959e8b6869c1d9fc2467afc
Instruction Fuzzy Hash: 923187B9D042589FCF10CFA9E980ADEFBB1BB59310F20902AE918B7310D335A905CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F176E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02F17785

Strings

eD , xrefs: 02F176FD

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: AllocVirtual
String ID: eD
API String ID: 4275171209-3392709236
Opcode ID: c059f32919cbb010ca968a7f947164e9cda9658387f84dfc09b4b39ebe813a77
Instruction ID: e6ad0b726f0c7e0cd641f19771b88bc4824b51d290cca55affde7a3d0481e934
Opcode Fuzzy Hash: c059f32919cbb010ca968a7f947164e9cda9658387f84dfc09b4b39ebe813a77
Instruction Fuzzy Hash: 3B3176B9D042589FCF10CFA9D980A9EFBB5BB09310F10A02AE918B7310D335A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02F14BB1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 02F14C51

Strings

eD , xrefs: 02F14BD2

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: EnumWindows
String ID: eD
API String ID: 1129996299-3392709236
Opcode ID: 34d674a53971ba6b84f21780189478981ffe6f5720e5df065d86fb07e20ded85
Instruction ID: 5cd589fb57de799434b347e1923a00d1ddebc17027556e36e16fb1716c8f337c
Opcode Fuzzy Hash: 34d674a53971ba6b84f21780189478981ffe6f5720e5df065d86fb07e20ded85
Instruction Fuzzy Hash: 8831EBB4D05219DFDB14CFA9D980AEEFBB1BF89310F20902AE805B7210C775A941CF68

Uniqueness

Uniqueness Score: -1.00%

Function 02F174B1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02F17562

Strings

eD , xrefs: 02F174DA

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID: eD
API String ID: 983334009-3392709236
Opcode ID: dc66ba68d8f97e425b0ad3fcfa6dea00c328875ed97987609ed3dce368d241ce
Instruction ID: 6a18a772d9db0b789d9f6697c81aab1f44bb1abd84577f867c7c6ef4b6a475d1
Opcode Fuzzy Hash: dc66ba68d8f97e425b0ad3fcfa6dea00c328875ed97987609ed3dce368d241ce
Instruction Fuzzy Hash: E33198B5D012589FCB10CFA9D984AEEFBF1AB49314F24806AE518B7350D378AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02F174B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 02F17562

Strings

eD , xrefs: 02F174DA

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: ContextThreadWow64
String ID: eD
API String ID: 983334009-3392709236
Opcode ID: 3c7576aac738e2ef3966689790ef9ab29a2dde081d5a522d2bd3b00838b6a82e
Instruction ID: 776cbdfe4e66a84e86059355e4e3a0402b38b48802fc36333cdd8df7b9abde3d
Opcode Fuzzy Hash: 3c7576aac738e2ef3966689790ef9ab29a2dde081d5a522d2bd3b00838b6a82e
Instruction Fuzzy Hash: A831A7B5D012589FCB10CFAAD984ADEFBF1BB48314F24802AE518B7350D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F14BB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 02F14C51

Strings

eD , xrefs: 02F14BD2

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: EnumWindows
String ID: eD
API String ID: 1129996299-3392709236
Opcode ID: ae7341d1b015ca7a4216c3719a830ca6d233a9b13756db73c4fc53704fa4a6db
Instruction ID: 88eb235ab5400a096d0f7237af974a6c7fd9fff2126ff8d4875a9795b4af5911
Opcode Fuzzy Hash: ae7341d1b015ca7a4216c3719a830ca6d233a9b13756db73c4fc53704fa4a6db
Instruction Fuzzy Hash: 8231D9B4D05219DFDB14CFA9D980AEEFBB1BF89310F20942AE405B7210C775A941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02F147E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02F14876

Strings

eD , xrefs: 02F14807

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: eD
API String ID: 3662101638-3392709236
Opcode ID: 2adfa45a4f8847db9a4ebdbee876ad01d80f74d6788557ce4bee0e2b5c6b776e
Instruction ID: 55806b1728fdfce62f95216fffcff93c493c1356c8cea9792fdb8666aff678e2
Opcode Fuzzy Hash: 2adfa45a4f8847db9a4ebdbee876ad01d80f74d6788557ce4bee0e2b5c6b776e
Instruction Fuzzy Hash: B731B7B4D012589FDB10CFA9D980ADEFBF0BB49320F20842AE904B7210C775A945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F148E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02F14966

Strings

eD , xrefs: 02F14905

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: eD
API String ID: 2591292051-3392709236
Opcode ID: 705d463445d0f915d9d31480fe3cc9f94c725d81c0ddec91b22df168327629dd
Instruction ID: dcd4f8d4f8cd503774d91346095c4e94f139913f0510362e5fa7737bc3b2301a
Opcode Fuzzy Hash: 705d463445d0f915d9d31480fe3cc9f94c725d81c0ddec91b22df168327629dd
Instruction Fuzzy Hash: 3431C9B5D042489FDB10CFA9E594AEEFBF0BB89360F24905AE818B7314D335A941CF64

Uniqueness

Uniqueness Score: -1.00%

Function 02F148E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02F14966

Strings

eD , xrefs: 02F14905

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: eD
API String ID: 2591292051-3392709236
Opcode ID: 66f38a9ea63a35ac8915b487e7c5f61e3a5c901437d57dd8a305d799efb72138
Instruction ID: b957fd7c5f3fe031dcfd34e99c516c0b66857e0d4f49b0762c55d8bf54501ced
Opcode Fuzzy Hash: 66f38a9ea63a35ac8915b487e7c5f61e3a5c901437d57dd8a305d799efb72138
Instruction Fuzzy Hash: 2B21A8B8D002189FDB10CFA9D584ADEFBF4BB49320F20905AE918B7310D335A941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 02F17920 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02F1799E

Strings

eD , xrefs: 02F17945

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: ResumeThread
String ID: eD
API String ID: 947044025-3392709236
Opcode ID: 42880fb90274d350fd89c365af2901073ffd6ee13789f23985cf963c43493fc6
Instruction ID: 40b13dade8c4010321ea813f63b42456e95afef590691464b188a3add31622c0
Opcode Fuzzy Hash: 42880fb90274d350fd89c365af2901073ffd6ee13789f23985cf963c43493fc6
Instruction Fuzzy Hash: 9D21B5B9D042189FCF10CFA9D584ADEFBF0AB49320F24906AE918B7310D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F17928 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 02F1799E

Strings

eD , xrefs: 02F17945

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID: ResumeThread
String ID: eD
API String ID: 947044025-3392709236
Opcode ID: 14f728533f208c3fdb405985ac28bfe750badf7680bcfb57b461f669f48382ec
Instruction ID: 4e2b65f0585de36d49ecf47dc27526a79f36f91bc66b0cc2d132c4cad1684f0e
Opcode Fuzzy Hash: 14f728533f208c3fdb405985ac28bfe750badf7680bcfb57b461f669f48382ec
Instruction Fuzzy Hash: FF21B7B8D042089FCF10CFA9D584ADEFBF4AB49320F24905AE918B7310D335A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 015CD01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145331571.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cd000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93400640ce1dd0383a022945b42c66a4c2f062694684d43242b7a38bcb996b29
Instruction ID: 8d00ffedc27652b872d9b874ef92cac4e639743800dc7ae04ecfbf4a5aabe01f
Opcode Fuzzy Hash: 93400640ce1dd0383a022945b42c66a4c2f062694684d43242b7a38bcb996b29
Instruction Fuzzy Hash: 7121F271604244DFDB14DFA8D584B2ABBB5FB84B14F20C97DE9099F242D33AD847C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 015CD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145331571.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_15cd000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280a822da978a7cf6d75c460037deca91b90bbecdaeef27421a460c589b3d673
Instruction ID: a4b490d7dab1b20e90fb6150d4f13925df09c2f96999bedb929d43b95944c3c9
Opcode Fuzzy Hash: 280a822da978a7cf6d75c460037deca91b90bbecdaeef27421a460c589b3d673
Instruction Fuzzy Hash: D821A1755093808FC712DF68C594B15BFB1BB46614F28C5EED849CF6A3D33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F145E4 Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

eD , xrefs: 02F14622
eD , xrefs: 02F14645

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID: eD $eD
API String ID: 0-423000286
Opcode ID: 5306154e1ae973450e8d9b1ce26c78b07320423d5c36c8194e3f54b796df123d
Instruction ID: 666000ea2b059d6a3b91496fd2b59196cfb37fea1f02f8c729d17de693930ed2
Opcode Fuzzy Hash: 5306154e1ae973450e8d9b1ce26c78b07320423d5c36c8194e3f54b796df123d
Instruction Fuzzy Hash: 3C51FF70E00258CFDB14CFA8C884BDEBBF1BF8A304F14912AD815AB250DB749845CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02F149B4 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

eD , xrefs: 02F14A15
eD , xrefs: 02F149F2

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID: eD $eD
API String ID: 0-423000286
Opcode ID: f4197880f706f71296985db01ea2e21e0fd357478bf8b54935b1ea1e211e3919
Instruction ID: a54b610c8aa00065efc467c404fe1022ed4ad864172d1487967b77bd409d5b70
Opcode Fuzzy Hash: f4197880f706f71296985db01ea2e21e0fd357478bf8b54935b1ea1e211e3919
Instruction Fuzzy Hash: A851FEB4D00258CFDB14CFA9C984BDEBBB1FF89344F20912AE915AB290DB749845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02F145F0 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

eD , xrefs: 02F14622
eD , xrefs: 02F14645

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID: eD $eD
API String ID: 0-423000286
Opcode ID: 180b93c807dcf027e81af40f1e7bef73a3c7c5d4c5e3d2efbf141d6e956cc213
Instruction ID: 3020cd68b12078ff0cdaa12f641decac4c6d1a46cc991726c8c54b8890296bfa
Opcode Fuzzy Hash: 180b93c807dcf027e81af40f1e7bef73a3c7c5d4c5e3d2efbf141d6e956cc213
Instruction Fuzzy Hash: B451FE70D00258DFDB14DFA9C984B9EFBF1BF8A304F20912AE915AB250DB749845CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02F149C0 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

eD , xrefs: 02F14A15
eD , xrefs: 02F149F2

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID: eD $eD
API String ID: 0-423000286
Opcode ID: ab2d7133e2eac90176263b8570684799b2f611f11d29b9c9a6519377ec5cc8b5
Instruction ID: de4df753b1a566379a1d6686b6ecca0c1d8cc55418f4c6ae5f62cc8126a2a6f2
Opcode Fuzzy Hash: ab2d7133e2eac90176263b8570684799b2f611f11d29b9c9a6519377ec5cc8b5
Instruction Fuzzy Hash: 4151FFB4D003588FDB14CFA9C984B9EBBB1BB89304F20912AE515AB290DB749845CF49

Uniqueness

Uniqueness Score: -1.00%

Function 02F15A38 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b31d09c51ce4ec58604d4196f57cf0e7923f388720e66a02150b1c7395f46c9
Instruction ID: 0de2c2351d934e1cf34f5702df3900435c6d0df7d872567249d4a1ea77290fc7
Opcode Fuzzy Hash: 2b31d09c51ce4ec58604d4196f57cf0e7923f388720e66a02150b1c7395f46c9
Instruction Fuzzy Hash: 3B711771E056298BDB68CF2AC9457DAF7F2AFC9300F54C5EA820DA7254EB305A958F40

Uniqueness

Uniqueness Score: -1.00%

Function 02F15C43 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 626958b60e9f44ae26af7d089869b3f421dec1f6e9ce805b45e8989fe5effca4
Instruction ID: 68231ce99faea6a904049a25c17b57b0de2abca8dd77faeb4a45a0f753d90ab7
Opcode Fuzzy Hash: 626958b60e9f44ae26af7d089869b3f421dec1f6e9ce805b45e8989fe5effca4
Instruction Fuzzy Hash: BA511974E056298FCB68DF25C9856DAB7F2EF89340F5085EAC10DA7250EB309F958F40

Uniqueness

Uniqueness Score: -1.00%

Function 02F15C81 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c65ca6f65228cd406bada62c03f0d3cb2523a69159045dad75fda8d1b1816e6
Instruction ID: 52b968854e3ea05d1f764ad2f239759c17ae4775e8a27ea01212b1e4f370cca3
Opcode Fuzzy Hash: 6c65ca6f65228cd406bada62c03f0d3cb2523a69159045dad75fda8d1b1816e6
Instruction Fuzzy Hash: 1641F974E056298FCBA8CF25C9856DAB7F2EF89740F5085EA810DAB250DB309E958F41

Uniqueness

Uniqueness Score: -1.00%

Function 02F112D8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f84515f7695a101d0fbf12cb1a8d7386e641a2c84ad3201f2e8bd9e24a1da13
Instruction ID: a9ebfe5ec7e63cd78cf53f1aff1f767a59ee8f81caebd06cea2727b81f762c64
Opcode Fuzzy Hash: 6f84515f7695a101d0fbf12cb1a8d7386e641a2c84ad3201f2e8bd9e24a1da13
Instruction Fuzzy Hash: 8B21CA71E016188BEB28CF6BD9446DEFAF7AFC9340F04C0B9D50DA6268DB3009468F40

Uniqueness

Uniqueness Score: -1.00%

Function 02F112C9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2145657664.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2f10000_x.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee51b7268bade6ccd1e8925e38c2f7dc5e42e05398c92a59bdfab6a911df5a7f
Instruction ID: 3c6fda50f6b37d9333536de3fcb1907d5e60f77292f9502e74eae4fae3fb01d7
Opcode Fuzzy Hash: ee51b7268bade6ccd1e8925e38c2f7dc5e42e05398c92a59bdfab6a911df5a7f
Instruction Fuzzy Hash: E721AF71D016588FEB68CF6B99446DEFBF3AFC9310F14C0BAD508AA265DB3409468F41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exePID: 2760, Parent PID: 5728COMMON

Execution Graph

Execution Coverage:	29.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	65

Executed Functions

Function 00403D74 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB

Strings

Windows, xrefs: 00403DEA
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Program Files, xrefs: 00403E01
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1974802433-2009209621
Opcode ID: 3bbbd6497c60a9077726dfd724fc9ca0dcd642bdcb2d82800ed9682fff8db66d
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 3bbbd6497c60a9077726dfd724fc9ca0dcd642bdcb2d82800ed9682fff8db66d
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 237076ee3a9b4ea1415c25652d0b6501980df5d44521d3002c06c03fef756dfb
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 237076ee3a9b4ea1415c25652d0b6501980df5d44521d3002c06c03fef756dfb
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 48d55c7a475cf24af0e6b27ac0b0b35998f2ff4cef57853490c59fb148673dc8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 48d55c7a475cf24af0e6b27ac0b0b35998f2ff4cef57853490c59fb148673dc8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 96dd47190825543ab0d2155488efc9e466da80610ec56339a9b7da9a3c2350c6
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 96dd47190825543ab0d2155488efc9e466da80610ec56339a9b7da9a3c2350c6
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 760dd9ac2145a4063b1baf9615d56f983cb47d5a4e4acf2d59287a1dd03a175e
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 760dd9ac2145a4063b1baf9615d56f983cb47d5a4e4acf2d59287a1dd03a175e
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: 0d8c0d4c09172e6f5af4db1cb0f7f59eaf3fb33cbb4c04f86baba7e5becde8fb
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: 0d8c0d4c09172e6f5af4db1cb0f7f59eaf3fb33cbb4c04f86baba7e5becde8fb
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 00402BAB Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C59 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(00000000,00000000,004041B3,00000000,F25E823B,00000000,00000000,?,004041B3,00000000,00000000,00000000), ref: 00403C3C

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5c28da5d626f681fb06662006ab0c2c95d6c94e8822ad681e7d12da421b0949b
Instruction ID: 708ff4401ac3282b12d7668d94bc51921ab55dbb6f1a62cfe087fe8b706b923f
Opcode Fuzzy Hash: 5c28da5d626f681fb06662006ab0c2c95d6c94e8822ad681e7d12da421b0949b
Instruction Fuzzy Hash: 57D0127200860CBFEF016EE59C05C7B3F5EEB04255B008825BD18E5021DA37DE2076E5

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

EmailAddress, xrefs: 0040D074
PopPort, xrefs: 0040D0A7
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D
SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA
PopAccount, xrefs: 0040D0B6
PopPassword, xrefs: 0040D0D0

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3418744123.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6038732).vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x.exe.log

C:\Users\user\AppData\Local\Temp\x.exe

C:\Users\user\AppData\Roaming\188E93\31437F.exe

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
6038732).vbs

Function 02F147E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82
COMMON

Function 02F17175 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241
processCOMMON

Function 02F17180 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236
processCOMMON

Function 02F177E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111
injectionCOMMON

Function 02F177E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
injectionCOMMON

Function 02F175C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101
COMMON

Function 02F175C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Function 02F176D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
memoryCOMMON

Function 02F176E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95
memoryCOMMON

Function 02F14BB1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92
COMMON

Function 02F174B1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 91
threadCOMMON

Function 02F174B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88
threadCOMMON

Function 02F14BB8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
COMMON

Function 02F147E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83
COMMON

Function 00403D74 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 200
fileCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre