Edit tour

Windows Analysis Report
8zyfXqDPaT.exe

Overview

General Information

Sample name:	8zyfXqDPaT.exe renamed because original name is a hash value
Original sample name:	f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e.exe
Analysis ID:	1447648
MD5:	a37c6527cabbbaf1e4aa9674b0476069
SHA1:	32ce4f91b5ab0da2e1d290164636b2a0dfb46523
SHA256:	f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e
Tags:	exeNetWire
Infos:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected NetWire RAT

Yara detected Netwire RAT

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8zyfXqDPaT.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\8zyfXqDPaT.exe" MD5: A37C6527CABBBAF1E4AA9674B0476069)

WerFault.exe (PID: 8084 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 392 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NetWire RC, NetWire	Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF	APT33	http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Malware Configuration

Threatname: NetWire

{"C2 list": ["23.95.88.13:3360"], "Password": "doctor", "Host ID": "HostId-yaq2Oq", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "system", "ActiveX Key": "{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}", "KeyLog Directory": "C:\\Documents and Settings\\Administrator\\Application Data\\Logs\\"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
8zyfXqDPaT.exe	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
8zyfXqDPaT.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8zyfXqDPaT.exe	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
8zyfXqDPaT.exe	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x472d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
8zyfXqDPaT.exe	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x13874:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x134b6:$a2: \Login Data 0x134e1:$a2: \Login Data 0x1350e:$a2: \Login Data
8zyfXqDPaT.exe	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x134f0:$s3: %s\Opera Software\Opera Stable\Login Data 0x130a3:$s4: select * from moz_logins 0x13494:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x134c4:$s9: %s\Chromium\User Data\Default\Login Data 0x13114:$s10: %s\Opera\Opera\profile\wand.dat
8zyfXqDPaT.exe	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x12877:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x128da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1386d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x136e5:$s6: %s\%s.bat 0x1289c:$s7: DEL /s "%s" >nul 2>&1
8zyfXqDPaT.exe	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x1385a:$exe1: %.2d-%.2d-%.4d 0x139a7:$exe1: %.2d-%.2d-%.4d 0x13858:$exe2: %s%.2d-%.2d-%.4d 0x1386d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x13998:$exe4: wcnwClass 0x13953:$exe5: [Ctrl+%c] 0x13574:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0x13139:$exe7: %s\.purple\accounts.xml
8zyfXqDPaT.exe	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x13800:$str2: %d:%I64u:%s%s; 0x13858:$str3: %s%.2d-%.2d-%.4d 0x1386d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x12d62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13875:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13a16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13894:$klg1: [Backspace] 0x138a0:$klg2: [Enter] 0x138a8:$klg3: [Tab] 0x138ae:$klg4: [Arrow Left] 0x138bb:$klg5: [Arrow Up] 0x138c6:$klg6: [Arrow Right] 0x138d4:$klg7: [Arrow Down] 0x138e1:$klg8: [Home] 0x138e8:$klg9: [Page Up] 0x138f2:$klg10: [Page Down] 0x138fe:$klg11: [End] 0x13904:$klg12: [Break] 0x1390c:$klg13: [Delete] 0x13915:$klg14: [Insert]
8zyfXqDPaT.exe	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x12ec8:$v2: mozsqlite3 0x1392d:$v3: [Scroll Lock] 0x13988:$v4: GetRawInputData 0x12877:$ping: ping 192.0.2.2
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1308808326.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x432d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x677:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x6da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x69c:$s7: DEL /s "%s" >nul 2>&1
00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x674:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x2b6:$a2: \Login Data 0x2e1:$a2: \Login Data 0x30e:$a2: \Login Data
00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x66d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x4e5:$s6: %s\%s.bat
00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x600:$str2: %d:%I64u:%s%s; 0x658:$str3: %s%.2d-%.2d-%.4d 0x66d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x675:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x816:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x694:$klg1: [Backspace] 0x6a0:$klg2: [Enter] 0x6a8:$klg3: [Tab] 0x6ae:$klg4: [Arrow Left] 0x6bb:$klg5: [Arrow Up] 0x6c6:$klg6: [Arrow Right] 0x6d4:$klg7: [Arrow Down] 0x6e1:$klg8: [Home] 0x6e8:$klg9: [Page Up] 0x6f2:$klg10: [Page Down] 0x6fe:$klg11: [End] 0x704:$klg12: [Break] 0x70c:$klg13: [Delete] 0x715:$klg14: [Insert] 0x71e:$klg15: [Print Screen] 0x72d:$klg16: [Scroll Lock]
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x1674:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6:$a2: \Login Data 0x12e1:$a2: \Login Data 0x130e:$a2: \Login Data
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x677:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x6da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x166d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x14e5:$s6: %s\%s.bat 0x69c:$s7: DEL /s "%s" >nul 2>&1
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x165a:$exe1: %.2d-%.2d-%.4d 0x17a7:$exe1: %.2d-%.2d-%.4d 0x1658:$exe2: %s%.2d-%.2d-%.4d 0x166d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1798:$exe4: wcnwClass 0x1753:$exe5: [Ctrl+%c] 0x1374:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0xf39:$exe7: %s\.purple\accounts.xml
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x1600:$str2: %d:%I64u:%s%s; 0x1658:$str3: %s%.2d-%.2d-%.4d 0x166d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x96c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xb62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1675:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1816:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1694:$klg1: [Backspace] 0x16a0:$klg2: [Enter] 0x16a8:$klg3: [Tab] 0x16ae:$klg4: [Arrow Left] 0x16bb:$klg5: [Arrow Up] 0x16c6:$klg6: [Arrow Right] 0x16d4:$klg7: [Arrow Down] 0x16e1:$klg8: [Home] 0x16e8:$klg9: [Page Up] 0x16f2:$klg10: [Page Down] 0x16fe:$klg11: [End] 0x1704:$klg12: [Break] 0x170c:$klg13: [Delete] 0x1715:$klg14: [Insert]
00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0xcc8:$v2: mozsqlite3 0x172d:$v3: [Scroll Lock] 0x1788:$v4: GetRawInputData 0x677:$ping: ping 192.0.2.2
00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x432d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0xbd90:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xeaf4:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xb7c9:$a2: \Login Data 0xb7f2:$a2: \Login Data 0xb81c:$a2: \Login Data 0xb891:$a2: \Login Data 0xb8b9:$a2: \Login Data 0xb8e2:$a2: \Login Data 0xe562:$a2: \Login Data 0xe58b:$a2: \Login Data 0xe5b5:$a2: \Login Data 0xe62a:$a2: \Login Data 0xe652:$a2: \Login Data 0xe67b:$a2: \Login Data
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x7a55:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0xd50b:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x7ab8:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0xd56e:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0xbd89:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xeaed:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xbb53:$s6: %s\%s.bat 0xe8c5:$s6: %s\%s.bat 0x7a7a:$s7: DEL /s "%s" >nul 2>&1 0xd530:$s7: DEL /s "%s" >nul 2>&1
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0xbd76:$exe1: %.2d-%.2d-%.4d 0xbeb4:$exe1: %.2d-%.2d-%.4d 0xc010:$exe1: %.2d-%.2d-%.4d 0xeada:$exe1: %.2d-%.2d-%.4d 0xec18:$exe1: %.2d-%.2d-%.4d 0xed74:$exe1: %.2d-%.2d-%.4d 0xbd74:$exe2: %s%.2d-%.2d-%.4d 0xc00e:$exe2: %s%.2d-%.2d-%.4d 0xead8:$exe2: %s%.2d-%.2d-%.4d 0xed72:$exe2: %s%.2d-%.2d-%.4d 0xbd89:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xeaed:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xbeaa:$exe4: wcnwClass 0xc003:$exe4: wcnwClass 0xec0e:$exe4: wcnwClass 0xed67:$exe4: wcnwClass 0xbe6d:$exe5: [Ctrl+%c] 0xbfc4:$exe5: [Ctrl+%c] 0xebd1:$exe5: [Ctrl+%c] 0xed28:$exe5: [Ctrl+%c] 0xb92a:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0xbd27:$str2: %d:%I64u:%s%s; 0xbd51:$str2: %d:%I64u:%s%s; 0xea8b:$str2: %d:%I64u:%s%s; 0xeab5:$str2: %d:%I64u:%s%s; 0xbd74:$str3: %s%.2d-%.2d-%.4d 0xc00e:$str3: %s%.2d-%.2d-%.4d 0xead8:$str3: %s%.2d-%.2d-%.4d 0xed72:$str3: %s%.2d-%.2d-%.4d 0xbd89:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xeaed:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x7b93:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x7bb9:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x7de8:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xbd91:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xc06f:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xd649:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xd66f:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xd89e:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xeaf5:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xbdae:$klg1: [Backspace] 0xbf18:$klg1: [Backspace]
Process Memory Space: 8zyfXqDPaT.exe PID: 7564	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x7f33:$v2: mozsqlite3 0x8241:$v2: mozsqlite3 0xd9e9:$v2: mozsqlite3 0xdcf7:$v2: mozsqlite3 0xbe47:$v3: [Scroll Lock] 0xbfa2:$v3: [Scroll Lock] 0xebab:$v3: [Scroll Lock] 0xed06:$v3: [Scroll Lock] 0xbe9a:$v4: GetRawInputData 0xbff4:$v4: GetRawInputData 0xebfe:$v4: GetRawInputData 0xed58:$v4: GetRawInputData 0x7a55:$ping: ping 192.0.2.2 0xd50b:$ping: ping 192.0.2.2
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.8zyfXqDPaT.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0.0.8zyfXqDPaT.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.8zyfXqDPaT.exe.400000.0.unpack	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
0.0.8zyfXqDPaT.exe.400000.0.unpack	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x472d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
0.0.8zyfXqDPaT.exe.400000.0.unpack	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x13874:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x134b6:$a2: \Login Data 0x134e1:$a2: \Login Data 0x1350e:$a2: \Login Data
0.0.8zyfXqDPaT.exe.400000.0.unpack	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x134f0:$s3: %s\Opera Software\Opera Stable\Login Data 0x130a3:$s4: select * from moz_logins 0x13494:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x134c4:$s9: %s\Chromium\User Data\Default\Login Data 0x13114:$s10: %s\Opera\Opera\profile\wand.dat
0.0.8zyfXqDPaT.exe.400000.0.unpack	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x12877:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x128da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1386d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x136e5:$s6: %s\%s.bat 0x1289c:$s7: DEL /s "%s" >nul 2>&1
0.0.8zyfXqDPaT.exe.400000.0.unpack	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x1385a:$exe1: %.2d-%.2d-%.4d 0x139a7:$exe1: %.2d-%.2d-%.4d 0x13858:$exe2: %s%.2d-%.2d-%.4d 0x1386d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x13998:$exe4: wcnwClass 0x13953:$exe5: [Ctrl+%c] 0x13574:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0x13139:$exe7: %s\.purple\accounts.xml
0.0.8zyfXqDPaT.exe.400000.0.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x13800:$str2: %d:%I64u:%s%s; 0x13858:$str3: %s%.2d-%.2d-%.4d 0x1386d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x12d62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13875:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13a16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13894:$klg1: [Backspace] 0x138a0:$klg2: [Enter] 0x138a8:$klg3: [Tab] 0x138ae:$klg4: [Arrow Left] 0x138bb:$klg5: [Arrow Up] 0x138c6:$klg6: [Arrow Right] 0x138d4:$klg7: [Arrow Down] 0x138e1:$klg8: [Home] 0x138e8:$klg9: [Page Up] 0x138f2:$klg10: [Page Down] 0x138fe:$klg11: [End] 0x13904:$klg12: [Break] 0x1390c:$klg13: [Delete] 0x13915:$klg14: [Insert]
0.0.8zyfXqDPaT.exe.400000.0.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x12ec8:$v2: mozsqlite3 0x1392d:$v3: [Scroll Lock] 0x13988:$v4: GetRawInputData 0x12877:$ping: ping 192.0.2.2
0.2.8zyfXqDPaT.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0.2.8zyfXqDPaT.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.8zyfXqDPaT.exe.400000.0.unpack	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
0.2.8zyfXqDPaT.exe.400000.0.unpack	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x472d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
0.2.8zyfXqDPaT.exe.400000.0.unpack	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x13874:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x134b6:$a2: \Login Data 0x134e1:$a2: \Login Data 0x1350e:$a2: \Login Data
0.2.8zyfXqDPaT.exe.400000.0.unpack	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x134f0:$s3: %s\Opera Software\Opera Stable\Login Data 0x130a3:$s4: select * from moz_logins 0x13494:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x134c4:$s9: %s\Chromium\User Data\Default\Login Data 0x13114:$s10: %s\Opera\Opera\profile\wand.dat
0.2.8zyfXqDPaT.exe.400000.0.unpack	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x12877:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x128da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1386d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x136e5:$s6: %s\%s.bat 0x1289c:$s7: DEL /s "%s" >nul 2>&1
0.2.8zyfXqDPaT.exe.400000.0.unpack	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x1385a:$exe1: %.2d-%.2d-%.4d 0x139a7:$exe1: %.2d-%.2d-%.4d 0x13858:$exe2: %s%.2d-%.2d-%.4d 0x1386d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x13998:$exe4: wcnwClass 0x13953:$exe5: [Ctrl+%c] 0x13574:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0x13139:$exe7: %s\.purple\accounts.xml
0.2.8zyfXqDPaT.exe.400000.0.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x13800:$str2: %d:%I64u:%s%s; 0x13858:$str3: %s%.2d-%.2d-%.4d 0x1386d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x12d62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13875:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13a16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13894:$klg1: [Backspace] 0x138a0:$klg2: [Enter] 0x138a8:$klg3: [Tab] 0x138ae:$klg4: [Arrow Left] 0x138bb:$klg5: [Arrow Up] 0x138c6:$klg6: [Arrow Right] 0x138d4:$klg7: [Arrow Down] 0x138e1:$klg8: [Home] 0x138e8:$klg9: [Page Up] 0x138f2:$klg10: [Page Down] 0x138fe:$klg11: [End] 0x13904:$klg12: [Break] 0x1390c:$klg13: [Delete] 0x13915:$klg14: [Insert]
0.2.8zyfXqDPaT.exe.400000.0.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x12ec8:$v2: mozsqlite3 0x1392d:$v3: [Scroll Lock] 0x13988:$v4: GetRawInputData 0x12877:$ping: ping 192.0.2.2
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8zyfXqDPaT.exe

Avira: detected

Found malware configuration

Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack

Malware Configuration Extractor: NetWire {"C2 list": ["23.95.88.13:3360"], "Password": "doctor", "Host ID": "HostId-yaq2Oq", "Mutex": "-", "Install Path": "%AppData%\\Install\\Host.exe", "Startup Name": "system", "ActiveX Key": "{3GYL0VK1-5SB1-4X20-W6B8-PQP7L2B50166}", "KeyLog Directory": "C:\\Documents and Settings\\Administrator\\Application Data\\Logs\\"}

Multi AV Scanner detection for submitted file

Source: 8zyfXqDPaT.exe	ReversingLabs: Detection: 97%
Source: 8zyfXqDPaT.exe	Virustotal: Detection: 90%			Perma Link

Machine Learning detection for sample

Source: 8zyfXqDPaT.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004080D4 RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	0_2_004080D4
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040A0DE CryptUnprotectData,LocalFree,	0_2_0040A0DE
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen,	0_2_00408D46
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00408971 RegQueryValueExA,CryptUnprotectData,LocalFree,	0_2_00408971
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004087B6 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_004087B6

Source: 8zyfXqDPaT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040947B SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose,	0_2_0040947B
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00404C1F SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_00404C1F
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040D088 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040D088
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004045AC SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_004045AC
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00404305 SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose,	0_2_00404305

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00412598 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

0_2_00412598

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 23.95.88.13:3360

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00403877 send,recv,htons,send,recv,

0_2_00403877

Source: Amcache.hve.7.dr

String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040FD55 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,

0_2_0040FD55

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_004061D0 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,malloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,

0_2_004061D0

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040FD55 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,

0_2_0040FD55

Source: 8zyfXqDPaT.exe, 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_27dd094b-6

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040FD55 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,

0_2_0040FD55

System Summary

Malicious sample detected (through community Yara rule)

Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1308808326.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 70E50000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 71E20000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 72DF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 740D0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 77680000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 76390000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 73DC0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 750A0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75870000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 77060000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 752A0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75A70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75D30000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75760000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75B70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75F70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 760B0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 76EE0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 77260000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 77400000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 73FC0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 757E0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 75E30000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 76130000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 76790000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 77480000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 74000000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Memory allocated: 76170000 page read and write	Jump to behavior

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00411CE7	0_2_00411CE7
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040E4F8	0_2_0040E4F8
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0041156C	0_2_0041156C
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040E1C4	0_2_0040E1C4
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040E6D7	0_2_0040E6D7
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00402BE6	0_2_00402BE6
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040EBAA	0_2_0040EBAA

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 392

Source: 8zyfXqDPaT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 8zyfXqDPaT.exe, type: SAMPLE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.1308808326.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00412598 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

0_2_00412598

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00412014 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00412014

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7564

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a284f0a2-2a2a-4ec7-b037-2fbb953032fc

Jump to behavior

Source: 8zyfXqDPaT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8zyfXqDPaT.exe	ReversingLabs: Detection: 97%
Source: 8zyfXqDPaT.exe	Virustotal: Detection: 90%

Source: unknown	Process created: C:\Users\user\Desktop\8zyfXqDPaT.exe "C:\Users\user\Desktop\8zyfXqDPaT.exe"
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 392

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen,

0_2_00408D46

Source: 8zyfXqDPaT.exe

Static PE information: real checksum: 0x1bdad should be: 0x159a1

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040FD55 push ecx; mov dword ptr [esp], 00000091h	0_2_0040FD70
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040FD55 push eax; mov dword ptr [esp], esi	0_2_0040FD90
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00411154 push ecx; mov dword ptr [esp], eax	0_2_00411343
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040491C push edi; mov dword ptr [esp], eax	0_2_004049DB
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00410936 push ecx; mov dword ptr [esp], eax	0_2_0041098B
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004061D0 push edx; mov dword ptr [esp], eax	0_2_00406464
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004049EC push ecx; mov dword ptr [esp], ebx	0_2_00404A1A
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040D9F6 push ecx; mov dword ptr [esp], ebx	0_2_0040DA22
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004101B6 push eax; mov dword ptr [esp], ebx	0_2_00410316
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040FACC push eax; mov dword ptr [esp], 004186C0h	0_2_0040FB7A

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-4777

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-6312

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-4722

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040947B SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose,	0_2_0040947B
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00404C1F SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_00404C1F
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_0040D088 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040D088
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_004045AC SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_004045AC
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	Code function: 0_2_00404305 SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose,	0_2_00404305

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00412598 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

0_2_00412598

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040B904 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_0040B904

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 8zyfXqDPaT.exe, 00000000.00000002.1718483530.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	API call chain: ExitProcess graph end node	graph_0-4666
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	API call chain: ExitProcess graph end node	graph_0-4983
Source: C:\Users\user\Desktop\8zyfXqDPaT.exe	API call chain: ExitProcess graph end node	graph_0-4640

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen,

0_2_00408D46

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040658F keybd_event,

0_2_0040658F

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_004065ED SetCursorPos,mouse_event,

0_2_004065ED

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0041044B GetLocalTime,

0_2_0041044B

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040B8A9 getenv,GetUserNameA,

0_2_0040B8A9

Source: C:\Users\user\Desktop\8zyfXqDPaT.exe

Code function: 0_2_0040B904 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_0040B904

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 8zyfXqDPaT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: 8zyfXqDPaT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR

Yara detected Netwire RAT

Source: Yara match	File source: 8zyfXqDPaT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8zyfXqDPaT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8zyfXqDPaT.exe PID: 7564, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	131 Input Capture	1 System Time Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	131 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	5 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8zyfXqDPaT.exe	97%	ReversingLabs	Win32.Backdoor.NetWiredRc
8zyfXqDPaT.exe	91%	Virustotal		Browse
8zyfXqDPaT.exe	100%	Avira	TR/Spy.Gen
8zyfXqDPaT.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
23.95.88.13:3360	0%	Avira URL Cloud	safe
23.95.88.13:3360	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
23.95.88.13:3360	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447648
Start date and time:	2024-05-26 09:56:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8zyfXqDPaT.exe renamed because original name is a hash value
Original Sample Name:	f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:57:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8zyfXqDPaT.exe_597f6042507848fc7dadc62a3ffaed4ee9ff7a_a6f17a6b_26226c92-4c22-481a-a403-269a013eebf7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.734898219434203
Encrypted:	false
SSDEEP:	96:3dFZolgzCsgheK7LfNQXIDcQnc6ucEhcw3l+K+HbHg/oJAnQO3q8PCFDbOyWZAXg:NTolUC005qrR+TjYqzuiFGZ24IO8C9
MD5:	AE25B85AE8B6F92C0CE68CD3749D66D3
SHA1:	D95ECDC6856C8B875369874DCB4E5C22EA60BD1A
SHA-256:	E202E22046FCADC7ADB56CFA9AC8C712AF668E2A14718F031E18CE62A5F3E2EC
SHA-512:	36725D2B429275952448C0963A2B3D96A848710620AB8F336E9AFCFD33636A7CBB124F0DA6F16CA238068E9D10703A36FBB977B8132461B176BE1EEC0D49C680
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.1.8.3.8.4.7.7.3.9.9.6.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.1.8.3.8.5.2.1.1.4.9.8.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.2.2.6.c.9.2.-.4.c.2.2.-.4.8.1.a.-.a.4.0.3.-.2.6.9.a.0.1.3.e.e.b.f.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.d.2.e.4.c.d.-.d.5.5.0.-.4.d.0.c.-.b.2.a.f.-.c.0.4.3.5.6.4.4.1.0.e.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.z.y.f.X.q.D.P.a.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.c.-.0.0.0.1.-.0.0.1.4.-.e.2.a.0.-.3.a.4.7.4.2.a.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.7.9.9.f.d.5.d.4.d.9.3.b.5.3.3.4.e.0.a.c.9.3.7.1.c.1.4.5.6.9.4.0.0.0.0.f.f.f.f.!.0.0.0.0.3.2.c.e.4.f.9.1.b.5.a.b.0.d.a.2.e.1.d.2.9.0.1.6.4.6.3.6.b.2.a.0.d.f.b.4.6.5.2.3.!.8.z.y.f.X.q.D.P.a.T...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9097.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun May 26 07:57:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	23136
Entropy (8bit):	2.3297942351123364
Encrypted:	false
SSDEEP:	96:5u8gnl+N1P8d3nsTBX/jOfqKC3Li7W5lwlrliM+YAV9zU74OC5TXrWIkWIJ4I0TB:nhhEC3LOswlrliMMXzUcF5Tdou3bv/L
MD5:	F8B8B8BC5CBE3F0B4E9BABD07FECAC4E
SHA1:	5E3C790CD7A2F98B134C10DE12C9765592F7A77B
SHA-256:	6C3694CAA48972160135D368CF630310A833C1E2E2AC5B9C861F957FBF6F1651
SHA-512:	4C5704B9A8E8C58787D4D53E96E8BF83D612FC82A940F3BA67DB050A9AFE9C0CD614D8C0D443C1BBC06D9D2EADFFDD4080989DBD214366F10E9FE4B83F90F2BD
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......h.Rf............4...........t...<.......T...............T.......8...........T...........`....K......................................................................................................eJ......4.......GenuineIntel............T...........G.Rf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91D1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.7039497090002556
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0WA62Eex6YcDbSUUKgmfENpDx89bwVsfJwm:R6lXJi62Eex6YcSUUKgmfEGwufr
MD5:	293C78FC463913F794E1A3BB4D9B1F67
SHA1:	A236BF3108C28EE4F60C6CAD923BCB9C4C487D3C
SHA-256:	6A03D086E307A742418C4D4CBDDA987DC1167FB4F5CD43E9B850359F41BDA0FD
SHA-512:	3BB75EA4B2060F120916AA40DC116817DDBB8F26AEA5E9A17DE0E25F40221793657FE4CC9A9C8A7F3D8E2E67A693EEF4FCFEAE89BBAFFBDD6073479002DEC586
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ED2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.480612914521914
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg77aI96tWpW8VYLPYm8M4JvdFBa+q8IDE50hUAVd:uIjfWI78c7V6SJk9e0hFVd
MD5:	0A13065459DFD4DCA298ABE23F398045
SHA1:	F687BCE694A5B41A5AF20642782473799AAE243A
SHA-256:	AACA71560266DE6A2A95F79773FD892268901AAA6F7416B580E477BB6C9F68B0
SHA-512:	FE6118059B7329377B79CE3B81A1F45917FDE0FEB7C6E643225A7A0CAD839D0FC194CA32B42842C337FBF0494CE35D66A761441203637438DCE8CFBA508F73D7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="339780" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.39380717142474
Encrypted:	false
SSDEEP:	6144:Nl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNzROBSqa:D4vF0MYQUMM6VFY1RU
MD5:	BC34FF97F5B050848D182BC80444601B
SHA1:	0AD73D9090106C512407E8E73FA9FD98D92C2485
SHA-256:	A5B8FCF8F5B650F2950E816CD258E5C3C5636616C97F359F266D76692B3DD9AC
SHA-512:	46E6D1DAE305A6232CD510AA70C03A9ECE54B95BD2582F1FFB7A7FD368614437D6D5E2C3A8E56870C48FF26C80321D6BE852884CA0BAF47491170336B05A79A7
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..*ZB...............................................................................................................................................................................................................................................................................................................................................J.<n........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.175709067906287
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8zyfXqDPaT.exe
File size:	86'016 bytes
MD5:	a37c6527cabbbaf1e4aa9674b0476069
SHA1:	32ce4f91b5ab0da2e1d290164636b2a0dfb46523
SHA256:	f61a7fa3ca28133a6fcefa0e04b0de4dc1e4020a87388b4b3a315dc8dc18194e
SHA512:	cdbe9010ef3cf60e065dea9684b650cdfb8164c59f50c7c01dae0824abeb161e18f270b29ec3c1d678106d1a5c3ac9d1f08f7f17b337d749679a09aeec903379
SSDEEP:	1536:Jr/zIEc9uQ1q1vD9qrPP+r4MrdN/F+Xs6ibNqiRGWkxuATdWTza:Jr/zIEyQIrPP+r4MrdN/086ibgqGWkzR
TLSH:	F483C719FA0BE0F2EE4E1D7162CBF6AF0B786920D864CE41DF840D43EA53D576219B94
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......U...............8.........d...!.......0....@........................................... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4021da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x551FFBB3 [Sat Apr 4 14:56:51 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	eaf9915d2b5730c3717ea003bd93404a

Entrypoint Preview

Instruction
push ebp
mov eax, 0000103Ch
push edi
push esi
push ebx
call 00007F1E3C553101h
sub esp, eax
call 00007F1E3C5443FAh
lea ebp, dword ptr [esp+28h]
call 00007F1E3C5501EDh
lea ebx, dword ptr [esp+2Ch]
call 00007F1E3C54F940h
call 00007F1E3C54D88Bh
call 00007F1E3C54CFE9h
call 00007F1E3C54D46Dh
mov dword ptr [esp+2Ch], FFFFFFFFh
mov eax, dword ptr [esp+2Ch]
mov dword ptr [esp+08h], 00000004h
mov dword ptr [esp+04h], ebp
mov dword ptr [esp+28h], 00000000h
mov dword ptr [esp], eax
call 00007F1E3C544A79h
test al, al
je 00007F1E3C542B3Fh
mov edi, dword ptr [esp+28h]
mov esi, dword ptr [esp+2Ch]
mov dword ptr [esp+04h], edi
mov dword ptr [esp], esi
call 00007F1E3C5429D7h
test al, al
je 00007F1E3C542A52h
lea eax, dword ptr [esp+30h]
mov dword ptr [esp+08h], edi
mov dword ptr [esp+04h], eax
mov dword ptr [esp], esi
call 00007F1E3C544A45h
test al, al
je 00007F1E3C542AFAh
mov esi, dword ptr [esp+28h]
cmp esi, 00000FFFh
jnbe 00007F1E3C542A97h
mov byte ptr [esp+esi+30h], 00000000h
movzx edx, byte ptr [esp+30h]
mov edi, dword ptr [esp+2Ch]
mov dword ptr [esp+04h], edx
mov dword ptr [esp], edi
mov dword ptr [esp+1Ch], edx
call 00007F1E3C5429B8h
mov edx, dword ptr [esp+1Ch]
test al, al
jne 00007F1E3C542AABh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c000	0x10fc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c30c	0x258	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11d00	0x11e00	d75a0d3817837e7fb6193b32beab0173	False	0.4841701267482518	data	5.968281013830461	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x13000	0x1a7c	0x1c00	f45ebb6f426d4298e94dfaa93da8bac8	False	0.5784040178571429	data	6.345204422487129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x15000	0x63f0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1c000	0x10fc	0x1200	1c5eecb94befaaec442aaa260dde1560	False	0.5158420138888888	data	5.623593330498326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ADVAPI32.DLL	CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
CRYPT32.DLL	CryptUnprotectData
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject
KERNEL32.dll	CloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile
msvcrt.dll	_beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, realloc, strlen
SHELL32.DLL	SHGetPathFromIDListA, SHGetSpecialFolderLocation
USER32.dll	CreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event
WS2_32.dll	WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

Target ID:	0
Start time:	03:56:55
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\8zyfXqDPaT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8zyfXqDPaT.exe"
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	A37C6527CABBBAF1E4AA9674B0476069
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Netwire_6a7df287, Description: unknown, Source: 00000000.00000000.1308808326.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: NetWiredRC_B, Description: NetWiredRC, Source: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Netwire, Description: Yara detected Netwire RAT, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: RAT_NetWire, Description: Detects NetWire RAT, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> & David Cannings Rule: NetWiredRC_B, Description: NetWiredRC, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: netwire, Description: detect netwire in memory, Source: 00000000.00000000.1308838540.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Netwire_6a7df287, Description: unknown, Source: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:57:27
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7564 -s 392
Imagebase:	0x780000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.8%
Total number of Nodes:	1613
Total number of Limit Nodes:	2

Executed Functions

Function 0040C75F Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040C77B
malloc.MSVCRT ref: 0040C830
malloc.MSVCRT ref: 0040C887

Strings

:, xrefs: 0040C8F1
@, xrefs: 0040C8E1
l4A, xrefs: 0040C85D

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: malloc
String ID: :$@$l4A
API String ID: 2803490479-2178790103
Opcode ID: c01c6b881d9ac8b8470f24fb6952675bd9f1e5112ccef34727350d73c34c12fb
Instruction ID: 1f3f5613ae46a8fda796ca92018459f23373324c68ac89057e72aaf1bbb21938
Opcode Fuzzy Hash: c01c6b881d9ac8b8470f24fb6952675bd9f1e5112ccef34727350d73c34c12fb
Instruction Fuzzy Hash: 1D5114B04087049FD711EF26C48425EBBE0FB84748F01C92EE4989B391DBB99549CF8A

Function 00403B54 Relevance: 4.5, APIs: 3, Instructions: 18
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00403B6E
ExitProcess.KERNEL32 ref: 00403B80
InitializeCriticalSection.KERNEL32 ref: 00403B8C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CriticalExitInitializeProcessSectionStartup
String ID:
API String ID: 3456047655-0
Opcode ID: b51da93ac2a35c519dff18cf7ed19e3aece5704c1db06d64c1cbb7900f679ce5
Instruction ID: 53df392e27ab82d9e8ba401a77cb8ecfe333a1067f07abb08f20a48212b1c3a9
Opcode Fuzzy Hash: b51da93ac2a35c519dff18cf7ed19e3aece5704c1db06d64c1cbb7900f679ce5
Instruction Fuzzy Hash: 41D012B01043045AE7507F69CA067AFB6FC9B42708F40455E68C492242EBBC9495466B

Function 004021DA Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Processmalloc$CurrentExit$CountCriticalInitializeSectionStartupThreadTick
String ID:
API String ID: 1809231239-0
Opcode ID: d202bfaaa0f7395042a077b510aef5d9797f00c4ba5a181acd34e80ca12bcee5
Instruction ID: 05636aa61a430d8ec963152c9417be72b9cbf6e83dd1949a670395452f5e5270
Opcode Fuzzy Hash: d202bfaaa0f7395042a077b510aef5d9797f00c4ba5a181acd34e80ca12bcee5
Instruction Fuzzy Hash: E23109B04087408AC710BFA6818521EFBE4AF84758F418A7FF8D8772D2C7BC95468B5B

Non-executed Functions

Function 004061D0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004061F9
GetSystemMetrics.USER32 ref: 00406208
GetDesktopWindow.USER32 ref: 00406210
GetDC.USER32 ref: 00406231
CreateCompatibleDC.GDI32 ref: 0040623C
CreateCompatibleBitmap.GDI32 ref: 00406250
SelectObject.GDI32 ref: 0040627F
BitBlt.GDI32 ref: 004062C0
GetDIBits.GDI32 ref: 00406344
malloc.MSVCRT ref: 004063AF
GetDIBits.GDI32 ref: 004063EB
ReleaseDC.USER32 ref: 0040644E
DeleteDC.GDI32(00000000), ref: 0040645B
DeleteObject.GDI32 ref: 00406467

Strings

, xrefs: 00406289
BM, xrefs: 0040635A
(, xrefs: 0040638E
(, xrefs: 0040641B
6, xrefs: 00406377

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: BitsCompatibleCreateDeleteMetricsObjectSystem$BitmapDesktopReleaseSelectWindowmalloc
String ID: $($($6$BM
API String ID: 3568129938-2637400849
Opcode ID: daba86b0f2dceafdeb6366a63086dc36ac6efd43da1f5f8ab8dfb6b1bab28fbc
Instruction ID: e333ad8c3a4b8d5fc448373892ab2bce03bccdff13a7120b062623d2927a3613
Opcode Fuzzy Hash: daba86b0f2dceafdeb6366a63086dc36ac6efd43da1f5f8ab8dfb6b1bab28fbc
Instruction Fuzzy Hash: 7381B6B09083059FDB00EFA9D58579EBBF4BF44344F11882EE888EB351E7789994CB56

Function 0040FD55 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 183
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyState.USER32 ref: 0040FD6A
GetKeyState.USER32 ref: 0040FD77
GetKeyState.USER32 ref: 0040FD8A
GetKeyboardState.USER32(00000000), ref: 0040FD93
MapVirtualKeyA.USER32(00000000,00000000), ref: 0040FF42
ToAscii.USER32 ref: 0040FF66
GetKeyState.USER32 ref: 0040FF78
MapVirtualKeyA.USER32 ref: 0040FFBC
GetKeyNameTextA.USER32 ref: 0040FFD5
GetKeyState.USER32 ref: 0040FFE8

Strings

, xrefs: 0041001C
`GA, xrefs: 00410014

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: State$Virtual$AsciiKeyboardNameText
String ID: $`GA
API String ID: 2992186895-3733422996
Opcode ID: e624c91c1352ac1d0ffe3d2a1ab7cc5330d19f4d2306831e5aaca221b6b8ff86
Instruction ID: ec7ec863a881efee9634d557dad8444c6d2bebeab2fac6a038ae46ed2d98a974
Opcode Fuzzy Hash: e624c91c1352ac1d0ffe3d2a1ab7cc5330d19f4d2306831e5aaca221b6b8ff86
Instruction Fuzzy Hash: 986175B04083029AD7309F14D5846DFBAE4AB86348F65C43FF485A7A91D3BD84C99B9F

Function 004080D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 279
registryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00408133
RegOpenKeyExA.ADVAPI32 ref: 004081A3
CryptUnprotectData.CRYPT32 ref: 004084D3
LocalFree.KERNEL32 ref: 0040850A
RegEnumKeyExA.ADVAPI32 ref: 004085FA
RegCloseKey.ADVAPI32 ref: 00408613

Strings

R@A, xrefs: 00408554
i<A, xrefs: 0040815D
?, xrefs: 00408182

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Open$CloseCryptDataEnumFreeLocalUnprotect
String ID: ?$R@A$i<A
API String ID: 465718330-2923574325
Opcode ID: 78970c331e07176d5c66b768deb494c3e85097f8261ef9461c508ac6f1943454
Instruction ID: a4ccc55f8ba981cafc44d41d19eba22a5712be1f076cbf207dd9ab87e8e57c87
Opcode Fuzzy Hash: 78970c331e07176d5c66b768deb494c3e85097f8261ef9461c508ac6f1943454
Instruction Fuzzy Hash: 01E19AB08093169FCB10DF55C54469EFBF4BF88314F00C96EE488A7251D7B89A89DF96

Function 0040B904 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 0040B93A
GetVersionExA.KERNEL32 ref: 0040B981
GetSystemInfo.KERNEL32 ref: 0040B994

Strings

A, xrefs: 0040BA0B
tCA, xrefs: 0040BB35
P, xrefs: 0040BBB4

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Version$InfoSystem
String ID: A$P$tCA
API String ID: 731687086-2098838653
Opcode ID: 997b671eb54fd9e5334c881dab9817cd43900668b3b596ad9c98fe6328abb985
Instruction ID: 378d64a24b43e564056c130400fa8caf3615e0b4c94d831b1f9ad2040db8fdc0
Opcode Fuzzy Hash: 997b671eb54fd9e5334c881dab9817cd43900668b3b596ad9c98fe6328abb985
Instruction Fuzzy Hash: E771A1709082198EEB249F6588457AFB6E0EB41304F1448BFD485E6285D7BDCAC5DB8F

Function 00408D46 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142libraryloaderencryptionCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00408D5D
GetProcAddress.KERNEL32 ref: 00408D76
GetProcAddress.KERNEL32 ref: 00408D8F
CryptUnprotectData.CRYPT32 ref: 00408EB3
strlen.MSVCRT ref: 00408ED9

Strings

$, xrefs: 00408DC7
TAA, xrefs: 00408DA6
J, xrefs: 00408DD6
yAA, xrefs: 00408F11

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AddressProc$CryptDataLibraryLoadUnprotectstrlen
String ID: $$J$TAA$yAA
API String ID: 3252690914-3341814342
Opcode ID: a56ae54050f0b889f0f39ab05f7a14759ce83efdfd0daef4faf5776cb7b3ae73
Instruction ID: 90e295eda4a7f6e2a6eb697774234851295af6de7a9009de0714f7da16fe82ca
Opcode Fuzzy Hash: a56ae54050f0b889f0f39ab05f7a14759ce83efdfd0daef4faf5776cb7b3ae73
Instruction Fuzzy Hash: 5F61E2B0D042199FDB10DF68C584B9EBBF1FF48304F1085AAE498A7351E7789A89CF56

Function 00412598 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00411E38: malloc.MSVCRT ref: 00411E48

SetErrorMode.KERNEL32 ref: 004125C7
GetLogicalDriveStringsA.KERNEL32 ref: 004125D8
GetVolumeInformationA.KERNEL32 ref: 0041269C
GetDiskFreeSpaceExA.KERNEL32 ref: 004126F7
GetDriveTypeA.KERNEL32 ref: 0041278B

Strings

[JA, xrefs: 004127CF
S, xrefs: 0041282F
PJA, xrefs: 0041273C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Drive$DiskErrorFreeInformationLogicalModeSpaceStringsTypeVolumemalloc
String ID: PJA$S$[JA
API String ID: 4103324456-1761618106
Opcode ID: cf71502f1f9646aaf85ddfddaa9ca175fb06f5c3cea1fa9df7cdbe2c8b41a5c6
Instruction ID: 413dc0bdbdfc8843bafa3374f9455635723ce9e2e0ddf00b037f636cf9ca1e66
Opcode Fuzzy Hash: cf71502f1f9646aaf85ddfddaa9ca175fb06f5c3cea1fa9df7cdbe2c8b41a5c6
Instruction Fuzzy Hash: B471C9B08093159FD715EF15C99479EFBF4BF84344F0089AEE488A7251D7B88A858F86

Function 00404305 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158filetimeCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040431E
FindFirstFileA.KERNEL32 ref: 0040432E
FileTimeToSystemTime.KERNEL32 ref: 004043BC
FindNextFileA.KERNEL32 ref: 004044F7
FindClose.KERNEL32 ref: 00404509

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

, xrefs: 004043EC
l9A, xrefs: 004043E4

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: FileFind$CriticalSectionTime$CloseEnterErrorFirstLeaveModeNextSystem
String ID: $l9A
API String ID: 353538454-1713450632
Opcode ID: dc4e45e60ec2832ca55661bcbdc3407cc74e99ec4f026f987709e7534a1db3d7
Instruction ID: 4ac5914737c352b605eb5e303c0285fe8982a0c07968ea428ecac6c9dbfaa336
Opcode Fuzzy Hash: dc4e45e60ec2832ca55661bcbdc3407cc74e99ec4f026f987709e7534a1db3d7
Instruction Fuzzy Hash: 5C71E4B49087149FC711DF25C5846AEBBF4AF84744F00C9AEE8D8A7351E7789A84CF86

Function 004087B6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00408805
CryptCreateHash.ADVAPI32 ref: 0040883C
CryptHashData.ADVAPI32 ref: 00408868
CryptGetHashParam.ADVAPI32 ref: 004088A3
CryptDestroyHash.ADVAPI32 ref: 0040894A
CryptReleaseContext.ADVAPI32 ref: 00408962

Strings

=AA, xrefs: 00408925

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID: =AA
API String ID: 3186506766-994812051
Opcode ID: 2f3cce49da050836fb35e52979a6b48e45b4c7f9f45a7d260789ff9d658d66fc
Instruction ID: 7e8127c63c99280028c9367910d8f887cf4ee83d10da939efdfafafca6d664b7
Opcode Fuzzy Hash: 2f3cce49da050836fb35e52979a6b48e45b4c7f9f45a7d260789ff9d658d66fc
Instruction Fuzzy Hash: 8541E6B09083059FDB00EF69C5557AEBBF0BF84348F00C92EE89497285D7B88558CF9A

Function 00404C1F Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00404DA2
FindFirstFileA.KERNEL32 ref: 00404DDC
FindClose.KERNEL32 ref: 00404E06
FindNextFileA.KERNEL32 ref: 0040500B

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 0040481E: fopen.MSVCRT ref: 0040485C
Part of subcall function 0040481E: fread.MSVCRT ref: 00404895
Part of subcall function 0040481E: fclose.MSVCRT ref: 0040490C

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

!, xrefs: 00404F66
L, xrefs: 0040503B

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Find$CriticalFileSection$CloseEnterErrorFirstLeaveModeNext_vsnprintffclosefopenfread
String ID: !$L
API String ID: 2399339665-1212946904
Opcode ID: 303ac60403f1f91705d5fe2428131c3c8be2549d47eb964c677c3903fc38ebad
Instruction ID: 32613cd6b19a3e9dc0d81b948bfd35db3afc354c20aa5868ba069cf611b7e5a0
Opcode Fuzzy Hash: 303ac60403f1f91705d5fe2428131c3c8be2549d47eb964c677c3903fc38ebad
Instruction Fuzzy Hash: 07B1B3B48087159FD710EF15C58469EBBF0EF84354F40C9AEE58CA7391D3789A889F8A

Function 0040947B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040948B

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

FindFirstFileA.KERNEL32 ref: 004094D5
FindNextFileA.KERNEL32 ref: 00409660
FindClose.KERNEL32 ref: 00409676

Strings

i<A, xrefs: 004095C1

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID: i<A
API String ID: 3730131509-3396280644
Opcode ID: 0ca7d93dfb76f3ae88e4c69cc09b361f3d83c12c8b8bc4c9eb577a0ee70154ed
Instruction ID: eef61fc1b6b849e5e93daf5940c089771de56a289e10f6167881217b47d4907e
Opcode Fuzzy Hash: 0ca7d93dfb76f3ae88e4c69cc09b361f3d83c12c8b8bc4c9eb577a0ee70154ed
Instruction Fuzzy Hash: 5151BAB49047099FCB50EF69C98569EBBF4AF44305F00896EE898E7341E778D984CF4A

Function 0040D088 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040D0A7

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

FindFirstFileA.KERNEL32 ref: 0040D0E3
FindNextFileA.KERNEL32 ref: 0040D250
FindClose.KERNEL32 ref: 0040D274

Strings

EA, xrefs: 0040D0B7
EA, xrefs: 0040D120

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID: EA$EA
API String ID: 3730131509-2825276752
Opcode ID: 9e8cf37be38c9d8b4441ebcd7269069ae4ea469994d4f8a91f2db5d2e53164e2
Instruction ID: 219c57fcb171bb1ca2d734e431468363c7ea267f7817afa50a1f865dfdb8dd3e
Opcode Fuzzy Hash: 9e8cf37be38c9d8b4441ebcd7269069ae4ea469994d4f8a91f2db5d2e53164e2
Instruction Fuzzy Hash: D051D7B4D087149BCB10EF65C58069EBBF4EF84354F00C9AEE89CA7341D77899858F56

Function 00402BE6 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00402C40
malloc.MSVCRT ref: 00402C6F
malloc.MSVCRT ref: 00402DCF
malloc.MSVCRT ref: 00402E47

Strings

wA, xrefs: 00403316

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: malloc
String ID: wA
API String ID: 2803490479-2241071787
Opcode ID: c1942b9ef3ee7efb90057551ef2bd3b9d57f791f179a07b8547abc79e4114769
Instruction ID: b3ce33c02d2adc67a1be81ba305f1ecc45b8c83c03d9b0789a960feec4bc780c
Opcode Fuzzy Hash: c1942b9ef3ee7efb90057551ef2bd3b9d57f791f179a07b8547abc79e4114769
Instruction Fuzzy Hash: 591271704087908ED711AF36D5492AEBBE0AF45309F45487FE8C4AB3D2D7BC8589CB5A

Function 00403877 Relevance: 7.6, APIs: 5, Instructions: 101networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 004038B8
recv.WS2_32 ref: 0040390A
htons.WS2_32 ref: 00403981
send.WS2_32 ref: 004039C2
recv.WS2_32 ref: 004039EB

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: recvsend$htons
String ID:
API String ID: 2448738288-0
Opcode ID: 96d11c9c68b2896d9b9d7a8983b74177866f7a7d96671aba66e4708bc343f380
Instruction ID: 0af73237e4819d2a6fd2bb66c7aadb4d5e860f75e5265a6ee1ba409244a54811
Opcode Fuzzy Hash: 96d11c9c68b2896d9b9d7a8983b74177866f7a7d96671aba66e4708bc343f380
Instruction Fuzzy Hash: 084126F18187589AD710AF25C8443DEBFF4AF44315F00C8AEE588A7281D37997C88F96

Function 00408971 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 004087B6: CryptAcquireContextA.ADVAPI32 ref: 00408805
Part of subcall function 004087B6: CryptCreateHash.ADVAPI32 ref: 0040883C
Part of subcall function 004087B6: CryptHashData.ADVAPI32 ref: 00408868
Part of subcall function 004087B6: CryptGetHashParam.ADVAPI32 ref: 004088A3

RegQueryValueExA.ADVAPI32 ref: 004089F7
CryptUnprotectData.CRYPT32 ref: 00408A6B
LocalFree.KERNEL32 ref: 00408B25

Strings

BAA, xrefs: 00408B02

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Data$AcquireContextCreateFreeLocalParamQueryUnprotectValue
String ID: BAA
API String ID: 1605365258-1692831742
Opcode ID: 0be4edd1013ea82f49039c4e7a60059d9a7865d727498685a99c62b3369e60e4
Instruction ID: f179bb109a2118bc5320f792643b829922f5a01b24bd9340d5c77f4fd436c39b
Opcode Fuzzy Hash: 0be4edd1013ea82f49039c4e7a60059d9a7865d727498685a99c62b3369e60e4
Instruction Fuzzy Hash: 605184B49042099FCB50DF68C98579EBBF0FF48344F00856AE898E7351E774EA848F96

Function 004045AC Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004045CB

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

FindFirstFileA.KERNEL32 ref: 00404605
FindClose.KERNEL32(?,?), ref: 0040462F
FindNextFileA.KERNEL32(?,?), ref: 004047B9

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID:
API String ID: 3730131509-0
Opcode ID: cff88fd960a1a20bad580e60cd069f30997f7ceb9bd1d6fc2fc32d8876ef301f
Instruction ID: f060474aadf0eacf1b52d1b8ed81c3e5be4ff31658bb1397a1b148920b024b9a
Opcode Fuzzy Hash: cff88fd960a1a20bad580e60cd069f30997f7ceb9bd1d6fc2fc32d8876ef301f
Instruction Fuzzy Hash: E961E9B4918705AFD710EF25C58469EBBF4EF84348F04C96EE5889B381D3789A84CF4A

Function 00412014 Relevance: 6.1, APIs: 4, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00412060
Process32First.KERNEL32 ref: 00412084
Process32Next.KERNEL32 ref: 004120BC
CloseHandle.KERNEL32 ref: 004120C6

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 74706cf70a759713ded17d191935e5dd41166c0ef1915d39beea04cd36872676
Instruction ID: 62dc56eb63f44dbe15c103c2bb5ecb402caf75696f765e2790a52999e9b354d7
Opcode Fuzzy Hash: 74706cf70a759713ded17d191935e5dd41166c0ef1915d39beea04cd36872676
Instruction Fuzzy Hash: 2F112CB0909304ABD710AF65C9456AEBBE8EF88754F00885FF988D7201D3B899908B96

Function 0040B8A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040B8BE
GetUserNameA.ADVAPI32 ref: 0040B8D4

Strings

KCA, xrefs: 0040B8E3

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: NameUsergetenv
String ID: KCA
API String ID: 3323410895-1493292787
Opcode ID: b00a7324634794fb3b964863d7c52f8d56f82682e5edb33a137536abfbaef005
Instruction ID: 4175b7b0365fa983d86b33f5d9a502483810bee78ae6fc75850a3e95115a9847
Opcode Fuzzy Hash: b00a7324634794fb3b964863d7c52f8d56f82682e5edb33a137536abfbaef005
Instruction Fuzzy Hash: CDF03671904318AED700AF56C9404DEBBF8EE44754F00C42FFD9897201E3789590DB8B

Function 0040A0DE Relevance: 3.2, APIs: 2, Instructions: 180encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0040A22C
LocalFree.KERNEL32 ref: 0040A304

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: bdff6604ffba01dbf17363abd4d8a0f87cd84668af0e44fbdba58665eeec2796
Instruction ID: d1bfcab12d688ec36e112635e1aeeacf5dabbfdd4c7e1a16bfd4dd83dc0475a7
Opcode Fuzzy Hash: bdff6604ffba01dbf17363abd4d8a0f87cd84668af0e44fbdba58665eeec2796
Instruction Fuzzy Hash: CF91A5B09043198FDB50DF64C58579EBBF4FF48308F1084AAE988A7340D7799A94CF96

Function 004065ED Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetCursorPos.USER32 ref: 00406602
mouse_event.USER32 ref: 00406695

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Cursormouse_event
String ID:
API String ID: 1102576784-0
Opcode ID: 3052724c6d5122f159fb62323d2c676a979c4be9a027182a9b91ce99891353d6
Instruction ID: 359e4aa527543433c0896175b0ac13a633aee152ab799177bbba5732e6b4454a
Opcode Fuzzy Hash: 3052724c6d5122f159fb62323d2c676a979c4be9a027182a9b91ce99891353d6
Instruction Fuzzy Hash: 650184B0008304AAE700AF15C12936BBBE5BF80708F41CC1DE8D95A281D7BE9599DF9B

Function 0040E6D7 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

, xrefs: 0040E896

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b8d42a7b63d4474c9d296802be1ff9ad28c4bd8d98a796cadb29ad3b8ed83466
Instruction ID: 3f37d34f01cdf8a4d5bcc118966dd77b7e58c9b584f3d9175108e78e060ba070
Opcode Fuzzy Hash: b8d42a7b63d4474c9d296802be1ff9ad28c4bd8d98a796cadb29ad3b8ed83466
Instruction Fuzzy Hash: 6EE1A3316093919FD344CF2ED894467BBE2ABD9200F49C97EE5C487366C634E812DBA6

Function 0040EBAA Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

, xrefs: 0040ED88

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2cb219ad1ba735ddc1010fc04fb07be04a48c2c717d2421ba4e92f8a78365db7
Instruction ID: f2da43bf588a0edd59bf2f6faae1e16a1b9b3f048b5e8f3d7aa9867b09630d40
Opcode Fuzzy Hash: 2cb219ad1ba735ddc1010fc04fb07be04a48c2c717d2421ba4e92f8a78365db7
Instruction Fuzzy Hash: 42E1A1316093519FC344DF2ED8D046ABBE2EBC9200F89C93ED69487356CB34E915DBA6

Function 0041044B Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0041047C

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 0040FACC: GetLocalTime.KERNEL32 ref: 0040FAEE
Part of subcall function 0040FACC: CloseHandle.KERNEL32 ref: 0040FB51
Part of subcall function 0040FACC: CreateFileA.KERNEL32 ref: 0040FC04

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseCreateFileHandle_vsnprintf
String ID:
API String ID: 2103698811-0
Opcode ID: 63690216b72a1c53842b416b2d2305f02b088d60ee1072d3dd554ffcc9136bda
Instruction ID: d04b5bec65cd5e82f1f172591afcf2028d515c0c46bc0842736414adfd99d777
Opcode Fuzzy Hash: 63690216b72a1c53842b416b2d2305f02b088d60ee1072d3dd554ffcc9136bda
Instruction Fuzzy Hash: 401100F44083149AD710AF22C8812EEBBF4EF85358F00886EF5D857281D7BC8584CF9A

Function 0040658F Relevance: 1.5, APIs: 1, Instructions: 12keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32 ref: 004065B4

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: 8e793267731e74a471ce4c647f6fb3bab29bcddfc950cb6d751f583ce367ce4b
Instruction ID: ec1167725e788c181b87d7cd053c0f17ee461c09059b1ff668a5e5903f31a6cf
Opcode Fuzzy Hash: 8e793267731e74a471ce4c647f6fb3bab29bcddfc950cb6d751f583ce367ce4b
Instruction Fuzzy Hash: 71D0C9B04083046AD7007F39C12A31ABFE8AB40358F80C84CE8D88B282D2B9D1588BD2

Function 0041156C Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97078c1ec4012f78fb44af18f5c532879ac62cdecd602c122b775541fe005406
Instruction ID: 98a0f098bcfd4f2504ddc750419ae9923d1f935bb537633bc1d12b4812e28a0d
Opcode Fuzzy Hash: 97078c1ec4012f78fb44af18f5c532879ac62cdecd602c122b775541fe005406
Instruction Fuzzy Hash: 6B227077F442104BDB5CCE5ACC906AAB393BBD831035FD27D8C06AB759DAB4B94686C0

Function 0040E1C4 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31593d8cefdcca00685f87743ed0cec816f2b2c0fbbdf3ba0f037685ca3658f4
Instruction ID: 0fa8561775c5e030c237411aceb05de3c03d5ea575caaef6c8977b91e497aa65
Opcode Fuzzy Hash: 31593d8cefdcca00685f87743ed0cec816f2b2c0fbbdf3ba0f037685ca3658f4
Instruction Fuzzy Hash: 6DA1A2729281B14BD35D8F2D9865436BBE0AB0920174B85FBD8C6AB393CA74DC41DBE4

Function 0040E4F8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdbce695deb1e2b3e85a9bc98d2888b1b594ebbb5921316fa6f60b82e0e5ede
Instruction ID: 2fe1e4ab88cda3d562dc2646662b34e7cd51756ed242f06843dcfce6c41a3e1b
Opcode Fuzzy Hash: cbdbce695deb1e2b3e85a9bc98d2888b1b594ebbb5921316fa6f60b82e0e5ede
Instruction Fuzzy Hash: 0351A3758082649FD7049F1EE8A00B6BBE1E78D310B09C57EEA84173A2D734F951DBE9

Function 00411CE7 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0cb38eadaf4d6d83f4dade177b392778d08c3289c2bab45c74c43a88b0d488
Instruction ID: a33a8f22ae6e85c1ab51808d79daa2e8ac5d5006bbfa8e747cb6f33f2d499034
Opcode Fuzzy Hash: 5f0cb38eadaf4d6d83f4dade177b392778d08c3289c2bab45c74c43a88b0d488
Instruction Fuzzy Hash: 52411B652093C08EC715DF6D84C055ABFE1AFA6200B08C9DEE8D99F74BD238D949C776

Function 00409681 Relevance: 53.0, APIs: 16, Strings: 14, Instructions: 460
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00409762
GetProcAddress.KERNEL32 ref: 0040978B
GetProcAddress.KERNEL32 ref: 004097A4
GetProcAddress.KERNEL32 ref: 004097BD
GetProcAddress.KERNEL32 ref: 004097D6
GetProcAddress.KERNEL32 ref: 004097EF
GetProcAddress.KERNEL32 ref: 00409808
FreeLibrary.KERNEL32 ref: 00409E1C

Strings

M, xrefs: 004096C0
<, xrefs: 004096D8
(, xrefs: 004096C8
B, xrefs: 0040968C
K, xrefs: 00409698
K, xrefs: 004096E8
;, xrefs: 00409704
p, xrefs: 004096BC
`, xrefs: 004096F4
A, xrefs: 004096A8
U, xrefs: 00409708
J, xrefs: 004096B8
7BA, xrefs: 00409D6E
T, xrefs: 004096D0

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ($7BA$;$<$A$B$J$K$K$M$T$U$`$p
API String ID: 2449869053-391259618
Opcode ID: 83dc6994b1219519ad1942492044cbd189cdd033f1be03c6e012c31656b67397
Instruction ID: f0ef341e7a26ddd6f06a2e8b11894eaa8e57a5bd707cacc1113fa0c2a1f95dfa
Opcode Fuzzy Hash: 83dc6994b1219519ad1942492044cbd189cdd033f1be03c6e012c31656b67397
Instruction Fuzzy Hash: D532A6B0908349CFDB10DFA9C58479EBBF0BF45314F00865EE498AB291D7789989CF96

Function 00405DD8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 199
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.MSVCRT ref: 00405DF4

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

getenv.MSVCRT ref: 00405E28
CreatePipe.KERNEL32 ref: 00405ED4
CreatePipe.KERNEL32 ref: 00405F07
GetStartupInfoA.KERNEL32 ref: 00405F1A
CreateProcessA.KERNEL32 ref: 00405F9A
CloseHandle.KERNEL32 ref: 00405FD6
CloseHandle.KERNEL32(?), ref: 00405FEB

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

PeekNamedPipe.KERNEL32 ref: 00406052
malloc.MSVCRT ref: 0040608A
ReadFile.KERNEL32 ref: 004060C4
CloseHandle.KERNEL32 ref: 00406119
CloseHandle.KERNEL32(00000000), ref: 00406127
TerminateProcess.KERNEL32(?,00000000), ref: 0040613E

Strings

D, xrefs: 00405E5F
", xrefs: 00406155

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$CriticalFileProcessSectiongetenv$AttributesEnterInfoLeaveNamedPeekReadStartupTerminate_vsnprintfmalloc
String ID: "$D
API String ID: 1761898876-1154559923
Opcode ID: 952761bcfc0b9674db8a1b1078ce94540f0fd060db4d0d55170df64b73035078
Instruction ID: 09788f14ea1cd9a2dde663cd501fe6c2f13b7d896097547298190afc460fad7c
Opcode Fuzzy Hash: 952761bcfc0b9674db8a1b1078ce94540f0fd060db4d0d55170df64b73035078
Instruction Fuzzy Hash: A7A1DCB48097159FDB10EF25C58879EBBF4BF44308F0189AEE488A7391D7B89984CF46

Function 00410C22 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 232
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410C65
RegEnumValueA.ADVAPI32 ref: 00410CCA
RegQueryValueExA.ADVAPI32 ref: 00410D4A
RegQueryValueExA.ADVAPI32 ref: 00410DEF

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

RegQueryValueExA.ADVAPI32 ref: 00410F14
malloc.MSVCRT ref: 00410F2D
RegQueryValueExA.ADVAPI32 ref: 00410F61
RegCloseKey.ADVAPI32 ref: 00411041

Strings

xHA, xrefs: 00410F79
_HA, xrefs: 00410E99
BHA, xrefs: 00410FC0

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseEnumOpen_vsnprintfmalloc
String ID: BHA$_HA$xHA
API String ID: 4070552197-3285710930
Opcode ID: c457b5a9a2a22c427117ce710c053d3f19028e22e154c9eaee1a1d08f0d38bc5
Instruction ID: f7014be8ebb14d179c1419ba26ae49d0402fd0cf9b8c6c09819d40fc7f6e2413
Opcode Fuzzy Hash: c457b5a9a2a22c427117ce710c053d3f19028e22e154c9eaee1a1d08f0d38bc5
Instruction Fuzzy Hash: 6BB1B8B0908355DFDB10EF29D58879ABBF4BF48344F00899EE48897251D3789AC8CF56

Function 00405A58 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184
timeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00405A73
Process32First.KERNEL32 ref: 00405A98
CloseHandle.KERNEL32 ref: 00405AA6

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

OpenProcess.KERNEL32 ref: 00405B43
GetProcessTimes.KERNEL32 ref: 00405BBF
FileTimeToSystemTime.KERNEL32 ref: 00405BF0
CloseHandle.KERNEL32 ref: 00405C83
Process32Next.KERNEL32 ref: 00405CF6
CloseHandle.KERNEL32 ref: 00405D0E

Strings

~;A, xrefs: 00405CA9
), xrefs: 00405D4D
`;A, xrefs: 00405C67

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseHandle$ProcessProcess32Time$CreateFileFirstNextOpenSnapshotSystemTimesToolhelp32_vsnprintf
String ID: )$`;A$~;A
API String ID: 1698657367-2041144709
Opcode ID: 7782544bbc45f11d423662694c1d12b3699859ba1a94dde34c3e84cc6fa2fbfb
Instruction ID: 61697017e6007795aa363774a73ed7ccfe3259b77202650b54fbf82562579c0d
Opcode Fuzzy Hash: 7782544bbc45f11d423662694c1d12b3699859ba1a94dde34c3e84cc6fa2fbfb
Instruction Fuzzy Hash: A581F9B4808715DEDB10EF25C9447AFBBF4EF84345F00896EE888A7241E7789A84DF56

Function 0040578A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 171
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 004057EB

Part of subcall function 004033A1: gethostbyname.WS2_32(?), ref: 004033B2
Part of subcall function 004033A1: htons.WS2_32 ref: 004033EC

connect.WS2_32 ref: 00405834
send.WS2_32 ref: 00405896
recv.WS2_32 ref: 004058D7

Strings

1;A, xrefs: 004059FB
):A, xrefs: 00405855

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsrecvsendsocket
String ID: ):A$1;A
API String ID: 2370112503-816570355
Opcode ID: 1ce466b65d3952daa620895002d9ebfd44272819a979813164e03d50d3217bf3
Instruction ID: 111cfb8894430c3ee57274e16e24e4d9ea14f12f3d6e1b24cd7d8834a0b22c56
Opcode Fuzzy Hash: 1ce466b65d3952daa620895002d9ebfd44272819a979813164e03d50d3217bf3
Instruction Fuzzy Hash: 0671FAB09087049FD710AF69C58539EBBE0EF44358F00C97EE888D7381E7B999949F4A

Function 004120D4 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 262
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411E38: malloc.MSVCRT ref: 00411E48

Part of subcall function 00405455: LoadLibraryA.KERNEL32 ref: 00405461

Part of subcall function 00405469: GetProcAddress.KERNEL32 ref: 0040547C

malloc.MSVCRT ref: 004121E1
htons.WS2_32 ref: 00412265
inet_ntoa.WS2_32(?), ref: 00412277
htons.WS2_32 ref: 004122BB
inet_ntoa.WS2_32 ref: 004122CD
malloc.MSVCRT ref: 004123E5
htons.WS2_32 ref: 00412473
inet_ntoa.WS2_32 ref: 00412489

Part of subcall function 00412014: CreateToolhelp32Snapshot.KERNEL32 ref: 00412060
Part of subcall function 00412014: Process32First.KERNEL32 ref: 00412084
Part of subcall function 00412014: CloseHandle.KERNEL32 ref: 004120C6

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Strings

=IA, xrefs: 00412162
N, xrefs: 00412573
}IA, xrefs: 004124A4

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: htonsinet_ntoamalloc$AddressCloseCreateFirstHandleLibraryLoadProcProcess32SnapshotToolhelp32_vsnprintf
String ID: =IA$N$}IA
API String ID: 3806733647-3309204232
Opcode ID: f26ad551e1a7b7d6af48cea083ccbc8037bc5215a3de7649536514671f8a8303
Instruction ID: f8a8161028ad7ca21a64c98559ef0398e0247d51c3e8658290eddf96b5b10619
Opcode Fuzzy Hash: f26ad551e1a7b7d6af48cea083ccbc8037bc5215a3de7649536514671f8a8303
Instruction Fuzzy Hash: 6CD1E9B09087159FCB11EF65C58479EBBF4FF84708F01889EE58897251D7B89A84CF8A

Function 0040C975 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 0040CA08
fread.MSVCRT ref: 0040CA2A
fwrite.MSVCRT ref: 0040CB9F
fclose.MSVCRT ref: 0040CBB3
SetFileAttributesA.KERNEL32 ref: 0040CBD7

Strings

4A, xrefs: 0040CAE5
4A, xrefs: 0040CA52
D, xrefs: 0040CB60
lEA, xrefs: 0040C9C7
D, xrefs: 0040CB8C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AttributesFilefclosefopenfreadfwrite
String ID: 4A$ 4A$D$D$lEA
API String ID: 89957345-2790498474
Opcode ID: 0748150ca969badcdfdb6980310fd3762a7f7f2af798bc9a52f75b0b9998ac6c
Instruction ID: a0f4930c04e500052b11a6926fbf3e4862edb1f1428525f09a58b86b76729e92
Opcode Fuzzy Hash: 0748150ca969badcdfdb6980310fd3762a7f7f2af798bc9a52f75b0b9998ac6c
Instruction Fuzzy Hash: 0D51D3F0408714EBD710EF21C58539EBBE4AF84348F41C86EE5886B281D7BD9989DF4A

Function 0040CE8B Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

SetFileAttributesA.KERNEL32 ref: 0040CEF8
fopen.MSVCRT ref: 0040CF0A
fwrite.MSVCRT ref: 0040CFB8
fclose.MSVCRT ref: 0040CFC8
SetFileAttributesA.KERNEL32 ref: 0040CFEA

Strings

DA, xrefs: 0040CEFF
D, xrefs: 0040CF7F
lEA, xrefs: 0040CEC1
D, xrefs: 0040CFA8
xEA, xrefs: 0040CEC9

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AttributesFile$_vsnprintffclosefopenfwrite
String ID: D$D$lEA$xEA$DA
API String ID: 1105125946-1048815438
Opcode ID: 330a5554e423b286da3aff255541e713e5c811e610f924629fd068ee921ce37b
Instruction ID: 8befd67c76517ca466d45368a0efbd0e1547b2cd68a55236b14d662bed35a97c
Opcode Fuzzy Hash: 330a5554e423b286da3aff255541e713e5c811e610f924629fd068ee921ce37b
Instruction Fuzzy Hash: D2310DB0508314AFC710AF25C58429EFBE5EF84358F01C86EE9C8A7341D7B88989DF5A

Function 00411154 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 151registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 004111BD
RegOpenKeyExA.ADVAPI32 ref: 00411203
RegSetValueExA.ADVAPI32 ref: 00411240
RegCloseKey.ADVAPI32 ref: 00411253
RegOpenKeyExA.ADVAPI32 ref: 00411314
RegDeleteValueA.ADVAPI32 ref: 00411334
RegCloseKey.ADVAPI32 ref: 00411346

Strings

Q, xrefs: 0041154C
?, xrefs: 00411196

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseOpenValue$CreateDelete
String ID: ?$Q
API String ID: 774071636-1039334267
Opcode ID: 6dd0c983af6d4f3e8391fe0b4817c74ec251a37638099fb634efd4853757ca54
Instruction ID: 594b76bfe066d82c118d28d1c9aa74a35dbd6311e4eca6a915345af15c47a7eb
Opcode Fuzzy Hash: 6dd0c983af6d4f3e8391fe0b4817c74ec251a37638099fb634efd4853757ca54
Instruction Fuzzy Hash: AB61E4B4908315AFD740EF69D58429EBBF4EF88354F00891EF89997311D3B8C9888F96

Function 004101B6 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 85windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405455: LoadLibraryA.KERNEL32 ref: 00405461

Part of subcall function 00405469: GetProcAddress.KERNEL32 ref: 0040547C

RegisterClassExA.USER32 ref: 00410263
CreateWindowExA.USER32 ref: 004102C9
GetMessageA.USER32 ref: 00410301
TranslateMessage.USER32 ref: 00410310
DispatchMessageA.USER32(00000000), ref: 00410319

Strings

0, xrefs: 0041024B
0, xrefs: 00410230
pGA, xrefs: 004101E0
wcnwClass, xrefs: 004101C0

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Message$AddressClassCreateDispatchLibraryLoadProcRegisterTranslateWindow
String ID: 0$0$pGA$wcnwClass
API String ID: 3243276898-1772338863
Opcode ID: 71b348a4bfe34ede3b44eaa997f55862cf314c9a13b8f4585a673dbf6b7d1171
Instruction ID: 5227af386e882ceadc208393300cbb36bff9ee19e55008b76853b068dc6512c6
Opcode Fuzzy Hash: 71b348a4bfe34ede3b44eaa997f55862cf314c9a13b8f4585a673dbf6b7d1171
Instruction Fuzzy Hash: 71311EB04093059BD700AF61D65839FBBF4EF84348F01892EE4946B281D7BD85C9CF9A

Function 0040DB98 Relevance: 15.2, APIs: 10, Instructions: 169networkCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040DBAB
select.WS2_32 ref: 0040DC48
__WSAFDIsSet.WS2_32 ref: 0040DC89
__WSAFDIsSet.WS2_32 ref: 0040DC9E
__WSAFDIsSet.WS2_32 ref: 0040DCB3
__WSAFDIsSet.WS2_32 ref: 0040DCC8
recv.WS2_32 ref: 0040DCFC
send.WS2_32 ref: 0040DD3A
recv.WS2_32 ref: 0040DD9E
send.WS2_32 ref: 0040DDD0

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: recvsend$mallocselect
String ID:
API String ID: 2752384660-0
Opcode ID: 8bf3d3a189aed913813953f45a5c36eede7787cde540d3ff4dd76cab598824bb
Instruction ID: 4a1c93bd732a40b2804f6e0ad1985379ed7b018d6ea50f030f98286be5360c60
Opcode Fuzzy Hash: 8bf3d3a189aed913813953f45a5c36eede7787cde540d3ff4dd76cab598824bb
Instruction Fuzzy Hash: 7661ECB09043149FDB10AFA5C58979EBBF4EF44354F10856FE958E7281E3B89A848F86

Function 00410570 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144libraryloadertimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00411E38: malloc.MSVCRT ref: 00411E48

LoadLibraryA.KERNEL32 ref: 004105C5
GetProcAddress.KERNEL32 ref: 004105E0
GetProcAddress.KERNEL32 ref: 004105F4
GetProcAddress.KERNEL32 ref: 0041060C
FileTimeToSystemTime.KERNEL32 ref: 004106A8

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

GA, xrefs: 004105FB
HA, xrefs: 0041071C
', xrefs: 0041079F

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalSectionTime$EnterFileLeaveLibraryLoadSystemmalloc
String ID: HA$'$GA
API String ID: 2869995242-598030498
Opcode ID: 6ff5f7cc1358fb750a3e7986d4004c61136ad8ecef7d16c959adf154a59d2ad7
Instruction ID: 96ac5f606bab2d497a7a822983fcb7c56945800001f94d05a6a568c049f0a852
Opcode Fuzzy Hash: 6ff5f7cc1358fb750a3e7986d4004c61136ad8ecef7d16c959adf154a59d2ad7
Instruction Fuzzy Hash: 6051E7B48057159ED710EF16C9886AAFBF4EF88704F10C99EE89897350E37899C4CF56

Function 004113AF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 004113D0
RegQueryValueExA.ADVAPI32 ref: 00411416
malloc.MSVCRT ref: 0041142F
RegQueryValueExA.ADVAPI32 ref: 00411472
RegSetValueExA.ADVAPI32 ref: 004114B8
RegDeleteValueA.ADVAPI32 ref: 004114D4
RegCloseKey.ADVAPI32 ref: 004114F7

Strings

Q, xrefs: 0041154C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseDeleteOpenmalloc
String ID: Q
API String ID: 262012908-3463352047
Opcode ID: 700ca1186a7c3fb542b7772a98515681c9436a3c83c751acc84dab658f0d9f4b
Instruction ID: fab9c0b65614be5e3debc5e3cfdb5f30ae1d0cfcd0c0ecf47d199c32b6813020
Opcode Fuzzy Hash: 700ca1186a7c3fb542b7772a98515681c9436a3c83c751acc84dab658f0d9f4b
Instruction Fuzzy Hash: 7451E8B49053199FCB50EF69D58478ABBF4AF88744F00896EE888D3311E378DA84CF56

Function 00407B77 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00407B91

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

getenv.MSVCRT ref: 00407BD0

Part of subcall function 00404BE8: GetFileAttributesExA.KERNEL32 ref: 00404C03

fopen.MSVCRT ref: 00407C04
malloc.MSVCRT ref: 00407C5A
fread.MSVCRT ref: 00407C9E
fclose.MSVCRT ref: 00407CF9
fclose.MSVCRT ref: 00407D1A

Strings

4?A, xrefs: 00407CCC

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AttributesFilefclosegetenv$_vsnprintffopenfreadmalloc
String ID: 4?A
API String ID: 3920827873-2233913188
Opcode ID: 0734a81ae9558e2d6666e7e864e966c46805246213be3467a8d45702887ffd2f
Instruction ID: b13287e39e793b54e87ec7d120e36690ef4d4ff5c2c2a62a5dcbcdf9b80f6115
Opcode Fuzzy Hash: 0734a81ae9558e2d6666e7e864e966c46805246213be3467a8d45702887ffd2f
Instruction Fuzzy Hash: 8E41B3B45483858FC720EF25C18979EBBE0BF94308F118C2EE49497351E7789989CB9B

Function 0040BE82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0040B8A9: getenv.MSVCRT ref: 0040B8BE
Part of subcall function 0040B8A9: GetUserNameA.ADVAPI32 ref: 0040B8D4

Part of subcall function 0040B840: gethostname.WS2_32 ref: 0040B86C
Part of subcall function 0040B840: GetComputerNameA.KERNEL32 ref: 0040B883

Part of subcall function 0040BC7C: GetTickCount.KERNEL32 ref: 0040BCAF

Part of subcall function 004051A9: GetModuleFileNameA.KERNEL32 ref: 004051C6

getenv.MSVCRT ref: 0040BFA7
getenv.MSVCRT ref: 0040BFB5

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

KCA, xrefs: 0040BF1A
%, xrefs: 0040C0FD
H4A, xrefs: 0040C028
l5A, xrefs: 0040C04E
l4A, xrefs: 0040C030

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Namegetenv$CriticalSection$ComputerCountEnterFileLeaveModuleTickUsergethostname
String ID: %$H4A$KCA$l4A$l5A
API String ID: 3776303047-1407204963
Opcode ID: 6b27ce5cf2719641ceba1825dcb303ce74c8cb670ba7a36cf7aae4d491be4723
Instruction ID: 4fc35f1c36761601e3f94c08449797863b3ba5a8779402fbf7500d7d94f70578
Opcode Fuzzy Hash: 6b27ce5cf2719641ceba1825dcb303ce74c8cb670ba7a36cf7aae4d491be4723
Instruction Fuzzy Hash: 63619DB48087809FD320EF65C18469FFBE4AF89348F10892EE9D897351D77995488F9A

Function 0040FACC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103filetimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0040FAEE
CloseHandle.KERNEL32 ref: 0040FB51
CloseHandle.KERNEL32 ref: 0040FB74
CreateFileA.KERNEL32 ref: 0040FC04
SetFilePointer.KERNEL32 ref: 0040FC3D
WriteFile.KERNEL32 ref: 0040FC74

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Strings

XFA, xrefs: 0040FB17

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerTimeWrite_vsnprintf
String ID: XFA
API String ID: 3264027427-974536607
Opcode ID: 5426f6b5fcb6f37349fd10ab8936c85668ceefb8216ac6fbee4be49d56c4ea83
Instruction ID: 74df94b654997151f3d9fe86a2003a3cd3b12ed2526cd4b1bb9af366b3238621
Opcode Fuzzy Hash: 5426f6b5fcb6f37349fd10ab8936c85668ceefb8216ac6fbee4be49d56c4ea83
Instruction Fuzzy Hash: A9412DF08083058AD720AF65D5453AABBF0FB44369F10CA3EE4A5973D1D7BC55888F9A

Function 0041099B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32 ref: 004109F8
RegOpenKeyExA.ADVAPI32 ref: 00410A2D

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

RegEnumKeyExA.ADVAPI32 ref: 00410A8D
RegCloseKey.ADVAPI32 ref: 00410AA2
RegDeleteKeyA.ADVAPI32(00000000), ref: 00410AB2

Strings

@, xrefs: 00410AD7
8HA, xrefs: 004109C0

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Delete$CloseEnumOpen_vsnprintf
String ID: 8HA$@
API String ID: 3258335120-4290720585
Opcode ID: 20c6c6a820e3336058dbda9cad8de54f9f27bf6bfc08787d99569cd706a3b572
Instruction ID: 0ac56a4377049136f8aa7fc1996f8a468577ce0a8a281fa06c0a24f8a4011f3d
Opcode Fuzzy Hash: 20c6c6a820e3336058dbda9cad8de54f9f27bf6bfc08787d99569cd706a3b572
Instruction Fuzzy Hash: A741C3B48083069FDB10EF65C59879BBBE4EF84344F00895EE89897241D3B99989CF86

Function 0040C2AE Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040C308

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

fopen.MSVCRT ref: 0040C37D
fwrite.MSVCRT ref: 0040C39B
fclose.MSVCRT ref: 0040C3A3
getenv.MSVCRT ref: 0040C3AF

Strings

DA, xrefs: 0040C372
l6A, xrefs: 0040C33B

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintffclosefopenfwrite
String ID: l6A$DA
API String ID: 3159630692-3596656015
Opcode ID: cbee2f29c891b821309839180577e5a7298b3d5f7dab118ea466cf333c3704da
Instruction ID: 3074a073850966244afaf778b265e688697f6f49e8b5883d7ae2296f66400148
Opcode Fuzzy Hash: cbee2f29c891b821309839180577e5a7298b3d5f7dab118ea466cf333c3704da
Instruction Fuzzy Hash: 643192B05087409BD310AF6AC58529EBBE0FF84748F01CD2EE4D99B241D7BD95889F5A

Function 0040DE75 Relevance: 12.2, APIs: 8, Instructions: 151networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 0040DEE6
__WSAFDIsSet.WS2_32 ref: 0040DEFF
recv.WS2_32 ref: 0040DF2D
recv.WS2_32 ref: 0040DF69
recv.WS2_32 ref: 0040DFEF
htons.WS2_32 ref: 0040E04B
socket.WS2_32 ref: 0040E095
connect.WS2_32 ref: 0040E0D1

Part of subcall function 0040DE3E: send.WS2_32 ref: 0040DE67

Part of subcall function 00403B94: shutdown.WS2_32 ref: 00403BB3
Part of subcall function 00403B94: closesocket.WS2_32 ref: 00403BBF

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: recv$closesocketconnecthtonsselectsendshutdownsocket
String ID:
API String ID: 1430705073-0
Opcode ID: cc10febddf6c8073bb1f690ceeeca895f7ed61e81b178301ed85d69d0d59df5a
Instruction ID: 8a0027b1871d40354a670ab6b011452358f9e24804312f26f221fa92e8f0c63b
Opcode Fuzzy Hash: cc10febddf6c8073bb1f690ceeeca895f7ed61e81b178301ed85d69d0d59df5a
Instruction Fuzzy Hash: 99611EB08097149FDB10EF25C58979EBBF4FF44344F1089AEE48897291E7B89598CF86

Function 00405524 Relevance: 12.1, APIs: 8, Instructions: 79fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040554D

Part of subcall function 0040549D: fgetpos.MSVCRT ref: 004054C3

fgetpos.MSVCRT ref: 00405592
fsetpos.MSVCRT ref: 004055CD
malloc.MSVCRT ref: 004055D9
fread.MSVCRT ref: 004055F9
realloc.MSVCRT ref: 0040560F
fclose.MSVCRT ref: 0040561B
fclose.MSVCRT ref: 0040562C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: fclosefgetpos$fopenfreadfsetposmallocrealloc
String ID:
API String ID: 3217104080-0
Opcode ID: feea2a42410a150057346b256c85a7e3d2659e253700c393a0a92c9fae14d72c
Instruction ID: 84f89338b0f2ad620864214a04b56a16ad267c4d8d295640036067ac5af64e8a
Opcode Fuzzy Hash: feea2a42410a150057346b256c85a7e3d2659e253700c393a0a92c9fae14d72c
Instruction Fuzzy Hash: FC31D3B0509B019AD710EF26D68535FBBE4EF84748F404C2EE48897291D7B9D988CF5A

Function 00404A9D Relevance: 12.1, APIs: 8, Instructions: 76fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00404AB3
fopen.MSVCRT ref: 00404AD1
malloc.MSVCRT ref: 00404AF1
fread.MSVCRT ref: 00404B13
fwrite.MSVCRT ref: 00404B41
free.MSVCRT(?,?,?,?,?,?,?,?,00000007,?,0040CC98), ref: 00404B53
fclose.MSVCRT ref: 00404B64
fclose.MSVCRT ref: 00404B70

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: fclosefopen$freadfreefwritemalloc
String ID:
API String ID: 3268861121-0
Opcode ID: 7692bdaf6cf9a6fe2cdd44cad3a7fdfe300091da52ebf57c6ebd8fafc62080a2
Instruction ID: 4e26785ce0d18f6dab09d7e247152080db2387a4ddab37ed6860b4f4aa8509f8
Opcode Fuzzy Hash: 7692bdaf6cf9a6fe2cdd44cad3a7fdfe300091da52ebf57c6ebd8fafc62080a2
Instruction Fuzzy Hash: 71210AB06087008EC750AF76858166FBBE4AF84354F10882EE5D8D7381D6BDE885CB4A

Function 00408F96 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 301fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00408FBB

Strings

/, xrefs: 00409376
, xrefs: 0040901C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: fopen
String ID: $/
API String ID: 1432627528-2637513485
Opcode ID: fc0029ca030e7d8461ea3c3aa89d809796b8c28de517c9d4e449b8cdb61640e9
Instruction ID: e335f4893fcbe95b33d83db71ffdefd5011d0c2ec99bd8187d9d8cd14b7d3c2e
Opcode Fuzzy Hash: fc0029ca030e7d8461ea3c3aa89d809796b8c28de517c9d4e449b8cdb61640e9
Instruction Fuzzy Hash: D7E1E6B48083199FCB10EFA5D58469EBBF0FF44314F50886EE899A7381D7789A85CF46

Function 0040D3E7 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040D41E
fgetpos.MSVCRT ref: 0040D45B
fopen.MSVCRT ref: 0040D6BF
fopen.MSVCRT ref: 0040D491

Part of subcall function 0040549D: fgetpos.MSVCRT ref: 004054C3

fread.MSVCRT ref: 0040D7FC

Strings

"FA, xrefs: 0040D6B4

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: fopen$fgetpos$fread
String ID: "FA
API String ID: 1519157137-1668338201
Opcode ID: c80bc8ae3df67dc0496436a0cb53f723b7a8415e37c177a36a69a3267f043ebb
Instruction ID: 8b5dd919a6c16fb1b8c7a3920ea3275975f0a20c828cac0e41251de37c129676
Opcode Fuzzy Hash: c80bc8ae3df67dc0496436a0cb53f723b7a8415e37c177a36a69a3267f043ebb
Instruction Fuzzy Hash: A4D1FAB49087419FC310EF65C0887AABBE0BF88354F15897EE5D89B396D3789885CF46

Function 00403F73 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00403FA3
malloc.MSVCRT ref: 00403FED
send.WS2_32 ref: 0040408C
WSAGetLastError.WS2_32 ref: 0040409B
LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

-, xrefs: 00403FAC

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeavemallocsend
String ID: -
API String ID: 1786834168-2547889144
Opcode ID: 5696e040c501629a2f1978b70cac4920d289bdbc117d9e00008f85baebfd7334
Instruction ID: 38d28748d84b584a290a71d19c19f95a6763138028e903192b294b18625f3013
Opcode Fuzzy Hash: 5696e040c501629a2f1978b70cac4920d289bdbc117d9e00008f85baebfd7334
Instruction Fuzzy Hash: C241A0B09047058FCB10AF79C58019EBBE4EF81324F11867FE6A4A72D1D7BC89458B9A

Function 004036A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 0040370C
send.WS2_32 ref: 004037B1
select.WS2_32 ref: 00403817
__WSAFDIsSet.WS2_32 ref: 0040382E
recv.WS2_32 ref: 00403854

Strings

Z, xrefs: 00403865

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: htonsrecvselectsend
String ID: Z
API String ID: 3248711867-1505515367
Opcode ID: 4e98d9fc3d65689fafd845c2dddca78e7eae01e0da4b0ad0300fced443896cca
Instruction ID: 41855fdb71bab7f2f7b524b6be45631769302bcb6c034a2f712c87405e66b5eb
Opcode Fuzzy Hash: 4e98d9fc3d65689fafd845c2dddca78e7eae01e0da4b0ad0300fced443896cca
Instruction Fuzzy Hash: 534142B08083189BD711EF25C58439EFFF4EF44754F1089AEE89897381D7798A848F96

Function 00407D2B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00407D40

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

fopen.MSVCRT ref: 00407D74
fgets.MSVCRT ref: 00407EC5
fclose.MSVCRT ref: 00407EDC

Strings

9?A, xrefs: 00407D49
t?A, xrefs: 00407E50

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: _vsnprintffclosefgetsfopengetenv
String ID: 9?A$t?A
API String ID: 3106633423-361060513
Opcode ID: 1cfe00ea726ca5de47ff4484029823c571a458226f08b3e1a3be3d5acd8c2b94
Instruction ID: 2310f2a4a80d5d50e96d5bd15a956ea174fc0d9324c7ee7adc87f858bb97abb1
Opcode Fuzzy Hash: 1cfe00ea726ca5de47ff4484029823c571a458226f08b3e1a3be3d5acd8c2b94
Instruction Fuzzy Hash: 234186B040D3449BD710DF65C18879EBBE4AF88318F508A6EE4D897291E3789685DF4B

Function 00410B14 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410B47
RegEnumKeyExA.ADVAPI32 ref: 00410BA6
RegCloseKey.ADVAPI32 ref: 00410C10

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Strings

>HA, xrefs: 00410BBD
@, xrefs: 00410BC5
@, xrefs: 00410BF8

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen_vsnprintf
String ID: >HA$@$@
API String ID: 2247870055-995552534
Opcode ID: 66b716632745de7941a210d9b553e3b1e1648a58aa5596adc30a80249648cf52
Instruction ID: d951ec1614c52a30530e91913a323e11f85892ad2653d04f7f4d1dffaba572d0
Opcode Fuzzy Hash: 66b716632745de7941a210d9b553e3b1e1648a58aa5596adc30a80249648cf52
Instruction Fuzzy Hash: F421F7B49083159FDB10EF6AC58579EBBF4EF84344F00895EE89897340D3B895888F96

Function 00403BD0 Relevance: 9.2, APIs: 6, Instructions: 169networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00403C4C
connect.WS2_32 ref: 00403C66

Part of subcall function 00403B94: shutdown.WS2_32 ref: 00403BB3
Part of subcall function 00403B94: closesocket.WS2_32 ref: 00403BBF

Part of subcall function 004033A1: gethostbyname.WS2_32(?), ref: 004033B2
Part of subcall function 004033A1: htons.WS2_32 ref: 004033EC

socket.WS2_32 ref: 00403D89
connect.WS2_32 ref: 00403DA3
socket.WS2_32 ref: 00403E29
connect.WS2_32 ref: 00403E48

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: connectsocket$closesocketgethostbynamehtonsshutdown
String ID:
API String ID: 4225652895-0
Opcode ID: a9d067e1c457786c3d9dea246259b8e02cacda7e4379102a03f46eb3febae908
Instruction ID: 0fba90beb908a74255dcb7be2595a4d410f269a42543519fa0d916bf3a195bc6
Opcode Fuzzy Hash: a9d067e1c457786c3d9dea246259b8e02cacda7e4379102a03f46eb3febae908
Instruction Fuzzy Hash: 5C712B709047059FDB00EF2AC58069ABFF8AF48719F00CA7EE898A7391D7789545CF5A

Function 00406A02 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

i<A, xrefs: 00406CB2

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID: i<A
API String ID: 0-3396280644
Opcode ID: 1d0d877c6ff3b457f1f93cad1e2a8c7d877c21866f896b3bbabe40e6541063c4
Instruction ID: b52f65bf3ebe0c6bec769d91c54d5e0de07e6e71933a3923709542a0b49869a4
Opcode Fuzzy Hash: 1d0d877c6ff3b457f1f93cad1e2a8c7d877c21866f896b3bbabe40e6541063c4
Instruction Fuzzy Hash: 1691BBF49043189ECB10EF65C5886DEB7F4BF84308F0188AED499A7341E7799698CF5A

Function 0040CBE8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004051A9: GetModuleFileNameA.KERNEL32 ref: 004051C6

ExitProcess.KERNEL32 ref: 0040CD3F
fopen.MSVCRT ref: 0040CE13

Part of subcall function 004049EC: GetFileAttributesA.KERNEL32 ref: 004049F9
Part of subcall function 004049EC: SetFileAttributesA.KERNEL32 ref: 00404A13
Part of subcall function 004049EC: DeleteFileA.KERNEL32 ref: 00404A1D

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

Part of subcall function 004053D0: Sleep.KERNEL32 ref: 004053DC

Strings

}EA, xrefs: 0040CE08
|3A, xrefs: 0040CD60
T3A, xrefs: 0040CD98

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: File$Attributes$DeleteExitModuleNameProcessSleepfopen
String ID: T3A$|3A$}EA
API String ID: 1458395772-2817059344
Opcode ID: 0567612a08aeedec2578e0bb13782989d259f3bc8451fa6396a77ae677604975
Instruction ID: 2b3d1a5baa3bd1cf932fe89ddea18cb132307519ae0653ad0a0bce4ccc4217a3
Opcode Fuzzy Hash: 0567612a08aeedec2578e0bb13782989d259f3bc8451fa6396a77ae677604975
Instruction Fuzzy Hash: 9351F8B0408304DADB00BF55D5853AEBBE0EF85748F01C96EE9D82B2C2C7BD8485DB5A

Function 0040350F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004033A1: gethostbyname.WS2_32(?), ref: 004033B2
Part of subcall function 004033A1: htons.WS2_32 ref: 004033EC

send.WS2_32 ref: 004035CF
select.WS2_32 ref: 00403636
__WSAFDIsSet.WS2_32 ref: 0040364D
recv.WS2_32 ref: 00403673

Strings

Z, xrefs: 00403691

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: gethostbynamehtonsrecvselectsend
String ID: Z
API String ID: 3406712544-1505515367
Opcode ID: 2052dc56e84d1895f0a9dc48bb66c4f5a486c86b75d998e0f50038cb2b252e93
Instruction ID: 25d11018809a7eb39efaaf5dad8f928c3adfea759ab23c1d514ecca4a790f553
Opcode Fuzzy Hash: 2052dc56e84d1895f0a9dc48bb66c4f5a486c86b75d998e0f50038cb2b252e93
Instruction Fuzzy Hash: E0410EB1808354AEDB10EF25C98539EBFF4EF44744F4088AEE58897241D3798688CF96

Function 0040536B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040537E
fread.MSVCRT ref: 004053A4
fclose.MSVCRT ref: 004053B1
fclose.MSVCRT ref: 004053B8

Strings

MZ, xrefs: 004053BD

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: fclose$fopenfread
String ID: MZ
API String ID: 3873288765-2410715997
Opcode ID: 9657f1b3b1119f5c7091767e8c38fd4cd0b6de0af593628b6b6d8a26fd817a22
Instruction ID: 7b064f6efc5561fa8d981c57a4d5f2286d9b9c7c5dfa20d8d859c38ff18431d6
Opcode Fuzzy Hash: 9657f1b3b1119f5c7091767e8c38fd4cd0b6de0af593628b6b6d8a26fd817a22
Instruction Fuzzy Hash: 5EF03AB0419700CAC700AF61858525FBAF4AB44344F009C2EE881C6241E2FCE5D5CF4B

Function 0040A3FF Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040A410
malloc.MSVCRT ref: 0040A42E

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 8d8346ef929e1ced26dc955478b1234d41a5a0a3707666c689b57026b96a782c
Instruction ID: 26bb1f18f2193ca7105f6668e1ca156be76c16a9896446137979092a5f984e1d
Opcode Fuzzy Hash: 8d8346ef929e1ced26dc955478b1234d41a5a0a3707666c689b57026b96a782c
Instruction Fuzzy Hash: 1931D9B49087459FCB00EFA9C5456AEBBF0BF44304F10886EE884E7391E378D994DB5A

Function 00403AE4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

send.WS2_32 ref: 00403A75
recv.WS2_32 ref: 00403AB4

Strings

d9A, xrefs: 00403AC4
<9A, xrefs: 00403A35

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: _vsnprintfrecvsend
String ID: <9A$d9A
API String ID: 2169655391-3684208877
Opcode ID: cb9b3686f7f4fcb9cddf240828ed71f2e9948656a8b5db5f00621b93540a1a2c
Instruction ID: 19fb78dcce55241861ebc919b22c83996a17c647a2e60c8ff9f1e2ac8e80e217
Opcode Fuzzy Hash: cb9b3686f7f4fcb9cddf240828ed71f2e9948656a8b5db5f00621b93540a1a2c
Instruction Fuzzy Hash: EC31C0B1908306AFD700EF6AD48425FBFE4EB88355F20C82EE49897351D3799544CF9A

Function 00401382 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401389
getenv.MSVCRT ref: 00401473

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

getenv.MSVCRT ref: 004014AA

Strings

h7A, xrefs: 004014B3

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintfmalloc
String ID: h7A
API String ID: 3160696619-676958904
Opcode ID: 24f8ad3eeab229b166db779fb24b56ae56ad6a2f636f618f2603998dfb92f2a0
Instruction ID: da40df5e69458c8760323637a72a71e7466935cdfa80261ed07db2837aecf0b1
Opcode Fuzzy Hash: 24f8ad3eeab229b166db779fb24b56ae56ad6a2f636f618f2603998dfb92f2a0
Instruction Fuzzy Hash: 174192B44097459ED710EF25C58439EFBE0BF84348F00C86EE4E997291D7B99588CF8A

Function 00406764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 004067A6
fread.MSVCRT ref: 004067E2
fclose.MSVCRT ref: 004068C7

Strings

<A, xrefs: 00406794

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: <A
API String ID: 2679521937-2242986680
Opcode ID: 3255f0eda0f9efa45981df8b516c8895c60192bd2f3e5c8e8557ede3df203789
Instruction ID: c26952ae3abd0985e6c18063cdff218bc95691b3f2700e39173d3eaef08d73c9
Opcode Fuzzy Hash: 3255f0eda0f9efa45981df8b516c8895c60192bd2f3e5c8e8557ede3df203789
Instruction Fuzzy Hash: 983192B55493859FD360EF68C18979EBBE0AFA4304F018C2EE498C7341E7789594CB97

Function 0040C118 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

Part of subcall function 0040536B: fopen.MSVCRT ref: 0040537E
Part of subcall function 0040536B: fread.MSVCRT ref: 004053A4
Part of subcall function 0040536B: fclose.MSVCRT ref: 004053B1

CreateProcessA.KERNEL32 ref: 0040C1C0

Part of subcall function 0040C5EC: ReleaseMutex.KERNEL32(?,?,?,?,?,0040C1D1), ref: 0040C5FE
Part of subcall function 0040C5EC: CloseHandle.KERNEL32(00000000,?,?,?,?,?,0040C1D1), ref: 0040C60C

Part of subcall function 00403B94: shutdown.WS2_32 ref: 00403BB3
Part of subcall function 00403B94: closesocket.WS2_32 ref: 00403BBF

ResumeThread.KERNEL32 ref: 0040C1E2
ExitProcess.KERNEL32 ref: 0040C1F2

Strings

D, xrefs: 0040C14A

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: Process$AttributesCloseCreateExitFileHandleMutexReleaseResumeThreadclosesocketfclosefopenfreadshutdown
String ID: D
API String ID: 1496764705-2746444292
Opcode ID: f05f0b2134a514c4cfa47bf0798895f83db7c70430c778cf8ac7f942262e3f95
Instruction ID: b6b9766ed53505c4010a4c8c24d49106edac11c49aed5e074c3242c655f6055b
Opcode Fuzzy Hash: f05f0b2134a514c4cfa47bf0798895f83db7c70430c778cf8ac7f942262e3f95
Instruction Fuzzy Hash: 6521E9B04083049AD710AF66C59535EFBF4FF80348F01892EE8C86B282C7BD9549DF8A

Function 0040C4A1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 0040C51C

Part of subcall function 00410936: RegOpenKeyExA.ADVAPI32 ref: 00410963
Part of subcall function 00410936: RegDeleteValueA.ADVAPI32 ref: 0041097C
Part of subcall function 00410936: RegCloseKey.ADVAPI32 ref: 0041098E

Strings

lEA, xrefs: 0040C544
xEA, xrefs: 0040C54C
7EA, xrefs: 0040C4EC

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValuefclose
String ID: 7EA$lEA$xEA
API String ID: 3171391837-703029007
Opcode ID: 192d2399ce94cc7230b9445624a158a12f170591d79e1ed4219d18e2e18af25a
Instruction ID: e3b04a7aa2cede327fc92e6a7033fe610f59aa74083eac3105ada9e39676499c
Opcode Fuzzy Hash: 192d2399ce94cc7230b9445624a158a12f170591d79e1ed4219d18e2e18af25a
Instruction Fuzzy Hash: 3421C2F04097049BD710BF61D5C525EBBE0AF85348F418D6EA5C42B382D7BCD589CB4A

Function 0040491C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 004049C0
CloseHandle.KERNEL32 ref: 004049D2
CloseHandle.KERNEL32(?), ref: 004049DE

Strings

D, xrefs: 0040492D

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 724e75efeb19002958ae05069f2742baf8af5b34950677b2ca7c14ff1c61b838
Instruction ID: fbab935f1d6e7dfe8e1afacba237a6d306025f386285e64f9b565e12cc85bf14
Opcode Fuzzy Hash: 724e75efeb19002958ae05069f2742baf8af5b34950677b2ca7c14ff1c61b838
Instruction Fuzzy Hash: 4D21B8B09043049BDB00EF66C58979FFBF4FF84758F00891EE998AB241D3B99548CB96

Function 00405105 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040512E
GetProcAddress.KERNEL32 ref: 0040513F

Strings

9A, xrefs: 00405161
9A, xrefs: 0040517C

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: 9A$9A
API String ID: 2574300362-3490971509
Opcode ID: cc797c492ef9caf5c0117e5ae6c5c0815f14dd54aa7156b9da78e63957f52b68
Instruction ID: d48a13e1259b84ce47518d3fc8ea4e1be4dd1f7cc282424d645e1903eb2c55b3
Opcode Fuzzy Hash: cc797c492ef9caf5c0117e5ae6c5c0815f14dd54aa7156b9da78e63957f52b68
Instruction Fuzzy Hash: 9A1182B5A186088AEB00DFA6C8457EFBBF4EF84315F00452ED454AB281D7B95648CBA9

Function 004107C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00410812
RegSetValueExA.ADVAPI32 ref: 00410852
RegCloseKey.ADVAPI32 ref: 00410865

Strings

?, xrefs: 004107E8

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: dd198b324af1f7d1d6115da84e5c78cee6d1e84605931b42d2194f5b6d9b08f2
Instruction ID: de5f51fec4fde91fab39cf441f97a3d451695e635ae9fe9040f3b00c87144a0a
Opcode Fuzzy Hash: dd198b324af1f7d1d6115da84e5c78cee6d1e84605931b42d2194f5b6d9b08f2
Instruction Fuzzy Hash: 771104B49083059FCB00EF69C58578EBBE4FB88354F00892EF89893341D775D6998B92

Function 0040FC8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040FC96
GetLocalTime.KERNEL32 ref: 0040FCB5
GetWindowTextA.USER32 ref: 0040FCD5

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 0040FACC: GetLocalTime.KERNEL32 ref: 0040FAEE
Part of subcall function 0040FACC: CloseHandle.KERNEL32 ref: 0040FB51
Part of subcall function 0040FACC: CreateFileA.KERNEL32 ref: 0040FC04

Strings

iFA, xrefs: 0040FCF2

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: LocalTimeWindow$CloseCreateFileForegroundHandleText_vsnprintf
String ID: iFA
API String ID: 3580565685-532656184
Opcode ID: 1aff4795dfc0327aeea1d95e4b5645bb98b7c719d73cf3fcfcb6769fde18ddb5
Instruction ID: b764b7c7e3ce9a8742e91d82a078812a5e52898d48a247f202ffd875ffd9796c
Opcode Fuzzy Hash: 1aff4795dfc0327aeea1d95e4b5645bb98b7c719d73cf3fcfcb6769fde18ddb5
Instruction Fuzzy Hash: 0B11D0B09047158AC760DF25C9852AFBBF0BB48745F0048BFE89892281E7789A84CF55

Function 00409E36 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408D46: LoadLibraryA.KERNEL32 ref: 00408D5D
Part of subcall function 00408D46: GetProcAddress.KERNEL32 ref: 00408D76
Part of subcall function 00408D46: GetProcAddress.KERNEL32 ref: 00408D8F

strlen.MSVCRT ref: 00409E8A
strlen.MSVCRT ref: 00409F46

Strings

PBA, xrefs: 00409F03
FBA, xrefs: 00409EFB

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AddressProcstrlen$LibraryLoad
String ID: FBA$PBA
API String ID: 4231066107-499912699
Opcode ID: 6f2943ea69b5601c6fb473e7726b18b6da326a7cf562ba05f51fd6495db2688f
Instruction ID: 9e328e6807ef34be45c85218d331cd70b7ec3c06c4783886c869fbf07ef2d3cd
Opcode Fuzzy Hash: 6f2943ea69b5601c6fb473e7726b18b6da326a7cf562ba05f51fd6495db2688f
Instruction Fuzzy Hash: 285122B450A3418FD360EF25C18879BBBE0AF88358F108D6EE898D7351E779A644CF46

Function 00403403 Relevance: 6.1, APIs: 4, Instructions: 62networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00403433
setsockopt.WS2_32 ref: 0040346D
WSAIoctl.WS2_32 ref: 004034CC
setsockopt.WS2_32 ref: 004034FF

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: setsockopt$Ioctlioctlsocket
String ID:
API String ID: 1196899187-0
Opcode ID: a461ac8e76b1af521f6aa5c3f1d20aad4c1e6dd5677a94f068e25c2a8bb63ffb
Instruction ID: 7a42e807d59b39563e190e3c94fb581eeb6c362007682e1a77285fd579c17996
Opcode Fuzzy Hash: a461ac8e76b1af521f6aa5c3f1d20aad4c1e6dd5677a94f068e25c2a8bb63ffb
Instruction Fuzzy Hash: F421F9B18083059ED700EF59C14978EFFF4AF88348F40852DE99867351D3BA9A58CF96

Function 00410874 Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00406956), ref: 004108A6
RegQueryValueExA.ADVAPI32 ref: 004108DB
RegQueryValueExA.ADVAPI32 ref: 00410913
RegCloseKey.ADVAPI32 ref: 00410926

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: 9d64b517f66c06f16d5f843a15594f141739a492221e3a5e05f59e9dc269c386
Instruction ID: de7d998bdf0431f81fce0f1b4b98555c5c5cd8fac54ee446781ae9f2ba5babf7
Opcode Fuzzy Hash: 9d64b517f66c06f16d5f843a15594f141739a492221e3a5e05f59e9dc269c386
Instruction Fuzzy Hash: 1E21B9B590430A9BDB00EF69D54568EBBF4EF84354F00892EE894A7201E3B599548F96

Function 00408620 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004080D4: RegOpenKeyExA.ADVAPI32 ref: 00408133
Part of subcall function 004080D4: RegEnumKeyExA.ADVAPI32 ref: 004085FA
Part of subcall function 004080D4: RegCloseKey.ADVAPI32 ref: 00408613

strlen.MSVCRT ref: 00408662
strlen.MSVCRT ref: 004086C2

Strings

@A, xrefs: 004086A3
h@A@A, xrefs: 00408643

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: strlen$CloseEnumOpen
String ID: h@A@A$@A
API String ID: 2898426016-2382529649
Opcode ID: 04493f81e893d87e5cdb45f7a15133dfe5f87d2a2ade8e70fb33ef72d01dd08d
Instruction ID: 43caab86a60b9782cf43506bfa4acbeaedb95704d78b05a79be1e40975aecc5e
Opcode Fuzzy Hash: 04493f81e893d87e5cdb45f7a15133dfe5f87d2a2ade8e70fb33ef72d01dd08d
Instruction Fuzzy Hash: EA212BB49093409FC780DF29C184A5ABBE0AF88758F419D2EF898A7351E779DA448F46

Function 0040549D Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

fgetpos.MSVCRT ref: 004054C3
fflush.MSVCRT ref: 004054E3
_filelengthi64.MSVCRT ref: 004054EE
fsetpos.MSVCRT ref: 00405518

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: _filelengthi64fflushfgetposfsetpos
String ID:
API String ID: 3378604764-0
Opcode ID: 572dcf07db478e5abad55a682674c9eb40fbba65b5d1769d826eff8997001d5c
Instruction ID: c88433ada2e8ae88a1ca8b46f9d19cc589c7607253fba5790791b08eec88f6cd
Opcode Fuzzy Hash: 572dcf07db478e5abad55a682674c9eb40fbba65b5d1769d826eff8997001d5c
Instruction Fuzzy Hash: F70105B180C7019BC750EF25898055BBBE4EE94364F605D2FF891D2296E238E8858F96

Function 004011DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004011E5
getenv.MSVCRT ref: 004012A5

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Part of subcall function 004053E4: _beginthreadex.MSVCRT ref: 00405417
Part of subcall function 004053E4: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040CE77), ref: 00405423

Strings

U7A, xrefs: 004012AE

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: CloseHandle_beginthreadex_vsnprintfgetenvmalloc
String ID: U7A
API String ID: 32720251-82502779
Opcode ID: 417f50b027077d185518eb8a1aa58f9e89a40c02a9a88697fb44f43126abe7df
Instruction ID: 8e6f58167c22f5e645b0097591fc0f3714b52ad41ce119bed0005e673d7392ec
Opcode Fuzzy Hash: 417f50b027077d185518eb8a1aa58f9e89a40c02a9a88697fb44f43126abe7df
Instruction Fuzzy Hash: CE2185F04087459ED710AF65C18839EBBE0BF84358F008C2EE5E99B291C7BD91888F86

Function 0040D938 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0040D94D
SendMessageA.USER32 ref: 0040D974

Part of subcall function 0040B003: _vsnprintf.MSVCRT ref: 0040B027

Strings

(FA, xrefs: 0040D98E

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: MessageSendVisibleWindow_vsnprintf
String ID: (FA
API String ID: 3977088758-1860655055
Opcode ID: 760b530b3583e3638550acf58721dfcdc46b192b21ffc769ca91e197663634be
Instruction ID: 0931136deb13f06f06eb408ecf803e4a1a5f867b5632cb71c022813c8d6a8fd6
Opcode Fuzzy Hash: 760b530b3583e3638550acf58721dfcdc46b192b21ffc769ca91e197663634be
Instruction Fuzzy Hash: 3F010CB0908304ABD710AFA5C98569FBBE4EF44364F01882EF8D897341D7B8D598CB96

Function 0040BC7C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040BCAF

Part of subcall function 00405455: LoadLibraryA.KERNEL32 ref: 00405461

Part of subcall function 00405469: GetProcAddress.KERNEL32 ref: 0040547C

Strings

CA, xrefs: 0040BCC9
@, xrefs: 0040BCE3

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: AddressCountLibraryLoadProcTick
String ID: @$CA
API String ID: 4181504871-3183928166
Opcode ID: 3b484b7422b032f322c7c83339abf1a8b61b6e3488d295d3d365209fae6e771e
Instruction ID: 648be96d8c6c49ef04c96796c73a111c2a75e4022e31c03811d7ba915960d5b1
Opcode Fuzzy Hash: 3b484b7422b032f322c7c83339abf1a8b61b6e3488d295d3d365209fae6e771e
Instruction Fuzzy Hash: A311EEB0501704CBDB00DFA5D18478ABBF0AF44308F048069D848AF38AE7B8D9448FA6

Function 0040B840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 0040B86C
GetComputerNameA.KERNEL32 ref: 0040B883

Strings

8CA, xrefs: 0040B892

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID: ComputerNamegethostname
String ID: 8CA
API String ID: 1822310196-263586042
Opcode ID: 55d55492aa1e64814c378c23cd9283483dc1b1f580238bba7f06dcab4b1e5b85
Instruction ID: 1f9f0f5355700a67fcf1235cda8d1ef190c0c78acdb3afe340083182e67e7d39
Opcode Fuzzy Hash: 55d55492aa1e64814c378c23cd9283483dc1b1f580238bba7f06dcab4b1e5b85
Instruction Fuzzy Hash: 24F0E1B0805304AFD710AF56C9815AEFBF8FF44754F41C82EF89893201E37899519B96

Function 00401847 Relevance: 5.0, Strings: 4, Instructions: 28COMMON

Download Yara Rule

Strings

7, xrefs: 0040186A
n7A, xrefs: 00401885
6, xrefs: 0040189E
7, xrefs: 004018A5

Memory Dump Source

Source File: 00000000.00000002.1718150574.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1718130231.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718175155.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718194167.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718210536.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1718244896.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_8zyfXqDPaT.jbxd

Yara matches

Similarity

API ID:
String ID: 6$7$7$n7A
API String ID: 0-3626202689
Opcode ID: bdd2fd97519feb2fbf737027a6bfb5485a56e8227d97887cb6c8ed79bb07813a
Instruction ID: b7370dd82f8b8d839790749eee7d6da2d8ee6722b335b7c94580866067ac804f
Opcode Fuzzy Hash: bdd2fd97519feb2fbf737027a6bfb5485a56e8227d97887cb6c8ed79bb07813a
Instruction Fuzzy Hash: 6EF019B0808388DADB21AF55C58479EBBE0AB41358F00C99EE59C262C1C3BD4688CF56

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8zyfXqDPaT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NetWire

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8zyfXqDPaT.exe_597f6042507848fc7dadc62a3ffaed4ee9ff7a_a6f17a6b_26226c92-4c22-481a-a403-269a013eebf7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9097.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91D1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ED2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
8zyfXqDPaT.exe

Function 0040C75F Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 111
COMMON

Function 00403B54 Relevance: 4.5, APIs: 3, Instructions: 18
networkCOMMON

Function 004021DA Relevance: .1, Instructions: 81
COMMON

Function 004061D0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 194
windowCOMMON

Function 0040FD55 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 183
keyboardCOMMON

Function 004080D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 279
registryencryptionCOMMON

Function 0040B904 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 211
COMMON

Function 00409681 Relevance: 53.0, APIs: 16, Strings: 14, Instructions: 460
libraryloaderCOMMON

Function 00405DD8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 199
pipeprocessfileCOMMON

Function 00410C22 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 232
registryCOMMON

Function 00405A58 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184
timeprocessCOMMON

Function 0040578A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 171
networkCOMMON

Function 004120D4 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 262
networkCOMMON

Function 0040C975 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135
fileCOMMON