Windows
Analysis Report
T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Overview
General Information
Sample name: | T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exerenamed because original name is a hash value |
Original sample name: | TBTAK SAGE TEKLF TALEP VE FYAT TEKLF sxlx..exe |
Analysis ID: | 1446501 |
MD5: | 456442e5615445a54f15eae38140c50a |
SHA1: | f81074ce9855601a33b97fb357fbee1bbdd7fcf6 |
SHA256: | 0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5 |
Tags: | exe |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe (PID: 6548 cmdline:
"C:\Users\ user\Deskt op\T#U00dc B#U0130TAK SAGE TEKL #U0130F TA LEP VE F#U 0130YAT TE KL#U0130F# U0130 sxlx ..exe" MD5: 456442E5615445A54F15EAE38140C50A) - conhost.exe (PID: 5972 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - jsc.exe (PID: 6368 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\jsc .exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "royallog@fibraunollc.top", "Password": " 7213575aceACE@#$ "}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD | Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_UACBypassusingCMSTP | Yara detected UAC Bypass using CMSTP | Joe Security | ||
Click to see the 12 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 18 entries |
System Summary |
---|
Source: | Author: frack113: |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Exploits |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Static PE information: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | TCP traffic: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: | ||
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_00007FF77C340560 | |
Source: | Code function: | 0_2_00007FF77C328F50 | |
Source: | Code function: | 0_2_00007FF77C33C160 | |
Source: | Code function: | 0_2_00007FF77C33EB10 | |
Source: | Code function: | 0_2_00007FF77C338D40 | |
Source: | Code function: | 0_2_00007FF77C343600 | |
Source: | Code function: | 0_2_00007FF77C32FDA0 | |
Source: | Code function: | 0_2_00007FF77C342700 | |
Source: | Code function: | 0_2_00007FF77C337F10 | |
Source: | Code function: | 0_2_00007FF77C317EC0 | |
Source: | Code function: | 0_2_00007FF77C343F70 | |
Source: | Code function: | 0_2_00007FF77C323720 | |
Source: | Code function: | 0_2_00007FF77C3357F0 | |
Source: | Code function: | 0_2_00007FF77C32F7F4 | |
Source: | Code function: | 0_2_00007FF77C341800 | |
Source: | Code function: | 0_2_00007FF77C333010 | |
Source: | Code function: | 0_2_00007FF77C334890 | |
Source: | Code function: | 0_2_00007FF77C3388C0 | |
Source: | Code function: | 0_2_00007FF77C3340D0 | |
Source: | Code function: | 0_2_00007FF77C332934 | |
Source: | Code function: | 0_2_00007FF77C3269D0 | |
Source: | Code function: | 0_2_00007FF77C3369D0 | |
Source: | Code function: | 0_2_00007FF77C3489D0 | |
Source: | Code function: | 0_2_00007FF77C322A60 | |
Source: | Code function: | 0_2_00007FF77C342290 | |
Source: | Code function: | 0_2_00007FF77C32E2F0 | |
Source: | Code function: | 0_2_00007FF77C33F360 | |
Source: | Code function: | 0_2_00007FF77C33DC30 | |
Source: | Code function: | 3_2_01769BE2 | |
Source: | Code function: | 3_2_01764A98 | |
Source: | Code function: | 3_2_0176CDA8 | |
Source: | Code function: | 3_2_01763E80 | |
Source: | Code function: | 3_2_017641C8 | |
Source: | Code function: | 3_2_065256F0 | |
Source: | Code function: | 3_2_06523F60 | |
Source: | Code function: | 3_2_0652DD10 | |
Source: | Code function: | 3_2_0652BD18 | |
Source: | Code function: | 3_2_06522AF8 | |
Source: | Code function: | 3_2_06528BA3 | |
Source: | Code function: | 3_2_06520040 | |
Source: | Code function: | 3_2_06523253 | |
Source: | Code function: | 3_2_06525010 |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | Code function: | 0_2_00007FF77C322890 |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | File created: | |||
Source: | File created: | |||
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | Code function: | 0_2_00007FF77C3224C0 |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior |
Source: | Code function: | 0_2_00007FF77C3155C0 | |
Source: | Code function: | 0_2_00007FF77C379808 |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory allocated: | Jump to behavior |
Source: | Memory written: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_00007FF77C315270 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Code function: | 0_2_00007FF77C31DD30 |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 11 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Access Token Manipulation | 11 Deobfuscate/Decode Files or Information | 1 Input Capture | 1 File and Directory Discovery | Remote Desktop Protocol | 2 Data from Local System | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 311 Process Injection | 1 Obfuscated Files or Information | 1 Credentials in Registry | 36 System Information Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 211 Security Software Discovery | Distributed Component Object Model | 1 Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 111 Masquerading | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 141 Virtualization/Sandbox Evasion | Cached Domain Credentials | 141 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 Access Token Manipulation | DCSync | 1 Application Window Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 311 Process Injection | Proc Filesystem | System Owner/User Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | ReversingLabs | Win64.Trojan.Generic | ||
28% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | ReversingLabs | Win64.Trojan.Generic | ||
28% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
0% | Virustotal | Browse | ||
2% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
cp8nl.hyperhost.ua | 185.174.175.187 | true | true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.174.175.187 | cp8nl.hyperhost.ua | Ukraine | 21100 | ITLDC-NLUA | true |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1446501 |
Start date and time: | 2024-05-23 15:12:07 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 20s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exerenamed because original name is a hash value |
Original Sample Name: | TBTAK SAGE TEKLF TALEP VE FYAT TEKLF sxlx..exe |
Detection: | MAL |
Classification: | mal100.troj.spyw.expl.evad.winEXE@4/2@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
09:12:52 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
185.174.175.187 | Get hash | malicious | AgentTesla | Browse | ||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
cp8nl.hyperhost.ua | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ITLDC-NLUA | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | SmokeLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla, DarkTortilla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | RedLine | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe
Download File
Process: | C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2070528 |
Entropy (8bit): | 7.009704680519339 |
Encrypted: | false |
SSDEEP: | 24576:oynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52jOXuq01dKqOFWYuO:ZjN3CdJ81nEQhs30e1uqsrOFA |
MD5: | 456442E5615445A54F15EAE38140C50A |
SHA1: | F81074CE9855601A33B97FB357FBEE1BBDD7FCF6 |
SHA-256: | 0ECA094AC422E8D7B0B58532B5A1FB7A59B4CC6CB6BBE1EC49259EBF10522AE5 |
SHA-512: | B69F617E0DEB48AF12F230DCF016211F94EEA612F364357D84E96499F61B1BDC028CCA43BBFA7F8F169B2645F6F6D6F243671E4C10AB2080F9C5896B45BC8ED0 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
C:\Users\user\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe:Zone.Identifier
Download File
Process: | C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.009704680519339 |
TrID: |
|
File name: | T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe |
File size: | 2'070'528 bytes |
MD5: | 456442e5615445a54f15eae38140c50a |
SHA1: | f81074ce9855601a33b97fb357fbee1bbdd7fcf6 |
SHA256: | 0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5 |
SHA512: | b69f617e0deb48af12f230dcf016211f94eea612f364357d84e96499f61b1bdc028cca43bbfa7f8f169b2645f6f6d6f243671e4c10ab2080f9c5896b45bc8ed0 |
SSDEEP: | 24576:oynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52jOXuq01dKqOFWYuO:ZjN3CdJ81nEQhs30e1uqsrOFA |
TLSH: | 78A5B005A3F801E4E46BC634C6599733D2B1B84A1734E58B0A5AD7822F73EE15BBF712 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6c.IW._IW._IW._O..^EW._O..^XW._O..^gW._@/._GW._./.^BW._IW._IV._.+.^BW._.+.^.W._IW._KW._#..^HW._#.._HW._#..^HW._RichIW._....... |
Icon Hash: | 4f81888c8c89874f |
Entrypoint: | 0x140068d5c |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x140000000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE |
DLL Characteristics: | HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x664E7376 [Wed May 22 22:36:38 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 79856d4b034c49dc3dd3e403b25b6bbf |
Instruction |
---|
dec eax |
sub esp, 28h |
call 00007FD7D4D030ECh |
dec eax |
add esp, 28h |
jmp 00007FD7D4D029E7h |
int3 |
int3 |
inc eax |
push ebx |
dec eax |
sub esp, 20h |
dec eax |
mov ebx, ecx |
jmp 00007FD7D4D02B81h |
dec eax |
mov ecx, ebx |
call 00007FD7D4D0B225h |
test eax, eax |
je 00007FD7D4D02B85h |
dec eax |
mov ecx, ebx |
call 00007FD7D4D02897h |
dec eax |
test eax, eax |
je 00007FD7D4D02B59h |
dec eax |
add esp, 20h |
pop ebx |
ret |
dec eax |
cmp ebx, FFFFFFFFh |
je 00007FD7D4D02B78h |
call 00007FD7D4D0357Ch |
int3 |
call 00007FD7D4D03596h |
int3 |
jmp 00007FD7D4D035C4h |
int3 |
int3 |
int3 |
jmp 00007FD7D4D02C2Ch |
int3 |
int3 |
int3 |
dec eax |
sub esp, 28h |
dec ebp |
mov eax, dword ptr [ecx+38h] |
dec eax |
mov ecx, edx |
dec ecx |
mov edx, ecx |
call 00007FD7D4D02B82h |
mov eax, 00000001h |
dec eax |
add esp, 28h |
ret |
int3 |
int3 |
int3 |
inc eax |
push ebx |
inc ebp |
mov ebx, dword ptr [eax] |
dec eax |
mov ebx, edx |
inc ecx |
and ebx, FFFFFFF8h |
dec esp |
mov ecx, ecx |
inc ecx |
test byte ptr [eax], 00000004h |
dec esp |
mov edx, ecx |
je 00007FD7D4D02B85h |
inc ecx |
mov eax, dword ptr [eax+08h] |
dec ebp |
arpl word ptr [eax+04h], dx |
neg eax |
dec esp |
add edx, ecx |
dec eax |
arpl ax, cx |
dec esp |
and edx, ecx |
dec ecx |
arpl bx, ax |
dec edx |
mov edx, dword ptr [eax+edx] |
dec eax |
mov eax, dword ptr [ebx+10h] |
mov ecx, dword ptr [eax+08h] |
dec eax |
mov eax, dword ptr [ebx+08h] |
test byte ptr [ecx+eax+03h], 0000000Fh |
je 00007FD7D4D02B7Dh |
movzx eax, byte ptr [ecx+eax+00h] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1f79a0 | 0x58 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1f79f8 | 0xf0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x21d000 | 0x3c1e6 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x208000 | 0x1314c | .pdata |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x25a000 | 0x634 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x1ca370 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x1ca500 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x1ca230 | 0x140 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x17d000 | 0x778 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x71a88 | 0x71c00 | 5cdd54da137ec06542526019b1031732 | False | 0.4528288118131868 | data | 6.6410813091638 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.managed | 0x73000 | 0xb9168 | 0xb9200 | 2d30634d2eb96982ab12a2d431b95020 | False | 0.4601620526671168 | data | 6.463570386679756 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
hydrated | 0x12d000 | 0x4f808 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0x17d000 | 0x7c4de | 0x7c600 | 45fde1d586ca634d803af629131f3bfa | False | 0.469921875 | data | 6.575391637700044 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1fa000 | 0xdc90 | 0x2200 | 5c15d417ed4d359d82911c50efdabf9a | False | 0.23793658088235295 | data | 3.6721787513471362 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x208000 | 0x1314c | 0x13200 | 8cc774a948808419be7ca4f4b39fb78d | False | 0.4887280433006536 | data | 6.17164551981099 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
_RDATA | 0x21c000 | 0x1f4 | 0x200 | cfc28b4453f40f4f91f4a52e36529a97 | False | 0.5078125 | data | 4.172727899540164 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x21d000 | 0x3c1e6 | 0x3c200 | 535b3db1e106e9738a2368c5f2218406 | False | 0.9869006626819127 | data | 7.992805950422709 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x25a000 | 0x634 | 0x800 | 8b35b44373572aa9287a6c541ff3e534 | False | 0.48681640625 | data | 4.726579003687373 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
BINARY | 0x21d1c0 | 0x3aa94 | data | 1.0003371123208311 | ||
RT_ICON | 0x257c54 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m | 0.37406191369606 | ||
RT_GROUP_ICON | 0x258cfc | 0x14 | data | 1.1 | ||
RT_VERSION | 0x258d10 | 0x2ec | data | 0.4144385026737968 | ||
RT_MANIFEST | 0x258ffc | 0x1ea | XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.5489795918367347 |
DLL | Import |
---|---|
ADVAPI32.dll | RegCloseKey, RegEnumKeyExW, RegEnumValueW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegSetValueExA, GetTokenInformation, DuplicateTokenEx, OpenThreadToken, RevertToSelf, ImpersonateLoggedOnUser, CheckTokenMembership, EventWrite, EventRegister, EventEnabled |
bcrypt.dll | BCryptGenRandom, BCryptEncrypt, BCryptDecrypt, BCryptImportKey, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptCloseAlgorithmProvider, BCryptDestroyKey |
KERNEL32.dll | TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, RtlPcToFileHeader, CloseThreadpoolIo, GetStdHandle, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToSystemTime, GetSystemTime, GetCalendarInfoEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, GetLocaleInfoEx, ResolveLocaleName, GetUserPreferredUILanguages, FindStringOrdinal, GetTickCount64, GetCurrentProcess, GetCurrentThread, Sleep, InitializeCriticalSection, InitializeConditionVariable, DeleteCriticalSection, LocalFree, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, QueryPerformanceCounter, WaitForMultipleObjectsEx, GetLastError, QueryPerformanceFrequency, SetLastError, GetFullPathNameW, GetLongPathNameW, MultiByteToWideChar, WideCharToMultiByte, LocalAlloc, GetConsoleOutputCP, GetProcAddress, RaiseFailFastException, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, LocaleNameToLCID, LCMapStringEx, EnumTimeFormatsEx, EnumCalendarInfoExEx, CopyFileExW, CreateFileW, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetFileAttributesExW, GetFileInformationByHandleEx, GetFileType, GetModuleFileNameW, GetOverlappedResult, GetSystemDirectoryW, LoadLibraryExW, ReadFile, SetFileInformationByHandle, SetThreadErrorMode, GetDynamicTimeZoneInformation, GetTimeZoneInformation, WriteFile, GetCurrentProcessorNumberEx, CloseHandle, SetEvent, CreateEventExW, GetEnvironmentVariableW, FormatMessageW, DuplicateHandle, GetThreadPriority, SetThreadPriority, GetConsoleMode, WriteConsoleW, GetExitCodeProcess, TerminateProcess, OpenProcess, K32EnumProcesses, GetProcessId, CreateProcessA, GetConsoleWindow, FreeConsole, AllocConsole, VirtualAllocEx, ResumeThread, CreateProcessW, GetThreadContext, SetThreadContext, FlushProcessWriteBuffers, GetCurrentThreadId, WaitForSingleObjectEx, VirtualQuery, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, CreateThread, SuspendThread, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, WaitForSingleObject, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, GetCurrentProcessId |
ole32.dll | CoUninitialize, CoTaskMemAlloc, CoGetApartmentType, CoCreateGuid, CoTaskMemFree, CoWaitForMultipleHandles, CoInitializeEx |
USER32.dll | LoadStringW |
api-ms-win-crt-math-l1-1-0.dll | pow, modf, ceil, __setusermatherr |
api-ms-win-crt-heap-l1-1-0.dll | calloc, malloc, _callnewh, _set_new_mode, free |
api-ms-win-crt-string-l1-1-0.dll | wcsncmp, strncpy_s, _stricmp, strcpy_s, strcmp, _wcsicmp |
api-ms-win-crt-runtime-l1-1-0.dll | _c_exit, _register_thread_local_exe_atexit_callback, _get_initial_wide_environment, _cexit, __p___wargv, __p___argc, _exit, exit, _initterm_e, _initterm, terminate, _crt_atexit, _initialize_wide_environment, _configure_wide_argv, _register_onexit_function, _initialize_onexit_table, _set_app_type, _seh_filter_exe, abort |
api-ms-win-crt-stdio-l1-1-0.dll | __stdio_common_vsprintf_s, __stdio_common_vsscanf, __stdio_common_vfprintf, __acrt_iob_func, _set_fmode, __p__commode |
api-ms-win-crt-locale-l1-1-0.dll | _configthreadlocale |
Name | Ordinal | Address |
---|---|---|
DotNetRuntimeDebugHeader | 1 | 0x1401fb360 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 23, 2024 15:12:53.260236979 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:53.265321016 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:53.265409946 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.029222965 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.030416965 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.035527945 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.328249931 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.328459024 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.333328962 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.527731895 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.533373117 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.538422108 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.733638048 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.734266996 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.734365940 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.736526012 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.739083052 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.739213943 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.821755886 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:54.859803915 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:54.866245031 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.040095091 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.068104029 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:55.073221922 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.241656065 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.242585897 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:55.247649908 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.417109966 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.418338060 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:55.423413038 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.603194952 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.603755951 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:55.608814001 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.799839973 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:55.800117970 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:55.806675911 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.058804989 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.059051991 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:56.068198919 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.256257057 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.256917000 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:56.256973982 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:56.257013083 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:56.257034063 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:12:56.261940956 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.267010927 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.315535069 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.315591097 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.629919052 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:12:56.670226097 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:14:33.264463902 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
May 23, 2024 15:14:33.269871950 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:14:33.438318968 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 |
May 23, 2024 15:14:33.443396091 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 23, 2024 15:12:53.241302967 CEST | 57800 | 53 | 192.168.2.5 | 1.1.1.1 |
May 23, 2024 15:12:53.252381086 CEST | 53 | 57800 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
May 23, 2024 15:12:53.241302967 CEST | 192.168.2.5 | 1.1.1.1 | 0x80b4 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
May 23, 2024 15:12:53.252381086 CEST | 1.1.1.1 | 192.168.2.5 | 0x80b4 | No error (0) | 185.174.175.187 | A (IP address) | IN (0x0001) | false |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
May 23, 2024 15:12:54.029222965 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 | 220-cp8nl.hyperhost.ua ESMTP Exim 4.97.1 #2 Thu, 23 May 2024 16:12:53 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. |
May 23, 2024 15:12:54.030416965 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 | EHLO 066656 |
May 23, 2024 15:12:54.328249931 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 | 250-cp8nl.hyperhost.ua Hello 066656 [8.46.123.175] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP |
May 23, 2024 15:12:54.328459024 CEST | 49704 | 587 | 192.168.2.5 | 185.174.175.187 | STARTTLS |
May 23, 2024 15:12:54.527731895 CEST | 587 | 49704 | 185.174.175.187 | 192.168.2.5 | 220 TLS go ahead |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 09:12:50 |
Start date: | 23/05/2024 |
Path: | C:\Users\user\Desktop\T#U00dcB#U0130TAK SAGE TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130 sxlx..exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff77c310000 |
File size: | 2'070'528 bytes |
MD5 hash: | 456442E5615445A54F15EAE38140C50A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 09:12:50 |
Start date: | 23/05/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 09:12:51 |
Start date: | 23/05/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe20000 |
File size: | 47'584 bytes |
MD5 hash: | 94C8E57A80DFCA2482DEDB87B93D4FD9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | false |
Execution Graph
Execution Coverage: | 6.8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 26.7% |
Total number of Nodes: | 983 |
Total number of Limit Nodes: | 29 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3155C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C33C160 Relevance: .7, Instructions: 694COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C340560 Relevance: .4, Instructions: 398COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C33EB10 Relevance: .3, Instructions: 332COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C322070 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C31AE30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C316480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C321E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C319D50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C378D70 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3227D0 Relevance: 1.3, APIs: 1, Instructions: 7COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C322890 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C317EC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C315270 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 193COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C342700 Relevance: .9, Instructions: 945COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C343600 Relevance: .6, Instructions: 626COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C343F70 Relevance: .6, Instructions: 583COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C32FDA0 Relevance: .4, Instructions: 432COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3369D0 Relevance: .4, Instructions: 415COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C334890 Relevance: .4, Instructions: 361COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C32F7F4 Relevance: .4, Instructions: 357COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3489D0 Relevance: .3, Instructions: 332COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C332934 Relevance: .3, Instructions: 327COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3388C0 Relevance: .3, Instructions: 273COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C342290 Relevance: .3, Instructions: 268COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3357F0 Relevance: .3, Instructions: 251COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3269D0 Relevance: .2, Instructions: 189COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C338D40 Relevance: .2, Instructions: 171COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C333010 Relevance: .2, Instructions: 165COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C33F360 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C31A990 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C315D00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83threadlibraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C316100 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51threadCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C313500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C352DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C31AF90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C31AFE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C3792DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Function 00007FF77C37A65C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Yara matches |
Similarity |
|
Execution Graph
Execution Coverage: | 10.7% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 13 |
Total number of Limit Nodes: | 2 |
Graph
Function 01769BE2 Relevance: 2.7, Instructions: 2738COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0176CDA8 Relevance: 2.3, Instructions: 2293COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01763E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01764A98 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01764804 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01764810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01766ED7 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0652E290 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01763E74 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0176F2CD Relevance: 1.4, Strings: 1, Instructions: 112COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01766F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01766B90 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01767908 Relevance: .6, Instructions: 554COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01769364 Relevance: .4, Instructions: 378COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 017696E0 Relevance: .4, Instructions: 353COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01764A8C Relevance: .3, Instructions: 263COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01766CDD Relevance: .1, Instructions: 133COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01766CE8 Relevance: .1, Instructions: 132COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0176112A Relevance: .1, Instructions: 114COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01761138 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0176F190 Relevance: .1, Instructions: 96COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0176F1A0 Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 017626DE Relevance: .1, Instructions: 91COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 017626E8 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01769250 Relevance: .1, Instructions: 82COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01769260 Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01769150 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0176169F Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0171D030 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01761878 Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01764F8A Relevance: .1, Instructions: 71COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01769160 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01761888 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 017616B0 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01761382 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01764F98 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01760848 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01760838 Relevance: .1, Instructions: 60COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01761488 Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 017617C2 Relevance: .1, Instructions: 57COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0171D02B Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01761498 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 017680F1 Relevance: .0, Instructions: 38COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01767090 Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 01768100 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|