Edit tour

Windows Analysis Report
ytgzVtg25k.exe

Overview

General Information

Sample name:	ytgzVtg25k.exe renamed because original name is a hash value
Original sample name:	8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20.exe
Analysis ID:	1447654
MD5:	02249b59bff7fa6b932d09cce70dc5b8
SHA1:	93ef935fc9041c0f37bc2cb6d60e2591e33cc86e
SHA256:	8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20
Tags:	exeNetWire
Infos:

Detection

NetWire

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected NetWire RAT

Yara detected Netwire RAT

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ytgzVtg25k.exe (PID: 6164 cmdline: "C:\Users\user\Desktop\ytgzVtg25k.exe" MD5: 02249B59BFF7FA6B932D09CCE70DC5B8)

WerFault.exe (PID: 5296 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 380 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NetWire RC, NetWire	Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.Keylog files are stored on the infected machine in an obfuscated form. The algorithm is: for i in range(0,num_read): buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF	APT33	http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/ http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire

Malware Configuration

Threatname: NetWire

{"C2 list": ["86t7b9br9.ddns.net:8980"], "Password": "4678553478654HJKGHKJGHKJG4543", "Host ID": "HostId-MAm4sa", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ytgzVtg25k.exe	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
ytgzVtg25k.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
ytgzVtg25k.exe	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
ytgzVtg25k.exe	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x472d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
ytgzVtg25k.exe	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x13874:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x134b6:$a2: \Login Data 0x134e1:$a2: \Login Data 0x1350e:$a2: \Login Data
ytgzVtg25k.exe	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x134f0:$s3: %s\Opera Software\Opera Stable\Login Data 0x130a3:$s4: select * from moz_logins 0x13494:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x134c4:$s9: %s\Chromium\User Data\Default\Login Data 0x13114:$s10: %s\Opera\Opera\profile\wand.dat
ytgzVtg25k.exe	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x12877:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x128da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1386d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x136e5:$s6: %s\%s.bat 0x1289c:$s7: DEL /s "%s" >nul 2>&1
ytgzVtg25k.exe	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x1385a:$exe1: %.2d-%.2d-%.4d 0x139a7:$exe1: %.2d-%.2d-%.4d 0x13858:$exe2: %s%.2d-%.2d-%.4d 0x1386d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x13998:$exe4: wcnwClass 0x13953:$exe5: [Ctrl+%c] 0x13574:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0x13139:$exe7: %s\.purple\accounts.xml
ytgzVtg25k.exe	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x13800:$str2: %d:%I64u:%s%s; 0x13858:$str3: %s%.2d-%.2d-%.4d 0x1386d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x12d62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13875:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13a16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13894:$klg1: [Backspace] 0x138a0:$klg2: [Enter] 0x138a8:$klg3: [Tab] 0x138ae:$klg4: [Arrow Left] 0x138bb:$klg5: [Arrow Up] 0x138c6:$klg6: [Arrow Right] 0x138d4:$klg7: [Arrow Down] 0x138e1:$klg8: [Home] 0x138e8:$klg9: [Page Up] 0x138f2:$klg10: [Page Down] 0x138fe:$klg11: [End] 0x13904:$klg12: [Break] 0x1390c:$klg13: [Delete] 0x13915:$klg14: [Insert]
ytgzVtg25k.exe	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x12ec8:$v2: mozsqlite3 0x1392d:$v3: [Scroll Lock] 0x13988:$v4: GetRawInputData 0x12877:$ping: ping 192.0.2.2
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x674:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x2b6:$a2: \Login Data 0x2e1:$a2: \Login Data 0x30e:$a2: \Login Data
00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x66d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x4e5:$s6: %s\%s.bat
00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x600:$str2: %d:%I64u:%s%s; 0x658:$str3: %s%.2d-%.2d-%.4d 0x66d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x675:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x816:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x694:$klg1: [Backspace] 0x6a0:$klg2: [Enter] 0x6a8:$klg3: [Tab] 0x6ae:$klg4: [Arrow Left] 0x6bb:$klg5: [Arrow Up] 0x6c6:$klg6: [Arrow Right] 0x6d4:$klg7: [Arrow Down] 0x6e1:$klg8: [Home] 0x6e8:$klg9: [Page Up] 0x6f2:$klg10: [Page Down] 0x6fe:$klg11: [End] 0x704:$klg12: [Break] 0x70c:$klg13: [Delete] 0x715:$klg14: [Insert] 0x71e:$klg15: [Print Screen] 0x72d:$klg16: [Scroll Lock]
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x1674:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6:$a2: \Login Data 0x12e1:$a2: \Login Data 0x130e:$a2: \Login Data
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x677:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x6da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x166d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x14e5:$s6: %s\%s.bat 0x69c:$s7: DEL /s "%s" >nul 2>&1
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x165a:$exe1: %.2d-%.2d-%.4d 0x17a7:$exe1: %.2d-%.2d-%.4d 0x1658:$exe2: %s%.2d-%.2d-%.4d 0x166d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1798:$exe4: wcnwClass 0x1753:$exe5: [Ctrl+%c] 0x1374:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0xf39:$exe7: %s\.purple\accounts.xml
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x1600:$str2: %d:%I64u:%s%s; 0x1658:$str3: %s%.2d-%.2d-%.4d 0x166d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x96c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xb62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1675:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1816:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1694:$klg1: [Backspace] 0x16a0:$klg2: [Enter] 0x16a8:$klg3: [Tab] 0x16ae:$klg4: [Arrow Left] 0x16bb:$klg5: [Arrow Up] 0x16c6:$klg6: [Arrow Right] 0x16d4:$klg7: [Arrow Down] 0x16e1:$klg8: [Home] 0x16e8:$klg9: [Page Up] 0x16f2:$klg10: [Page Down] 0x16fe:$klg11: [End] 0x1704:$klg12: [Break] 0x170c:$klg13: [Delete] 0x1715:$klg14: [Insert]
00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0xcc8:$v2: mozsqlite3 0x172d:$v3: [Scroll Lock] 0x1788:$v4: GetRawInputData 0x677:$ping: ping 192.0.2.2
00000000.00000000.1644544695.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x432d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x432d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x677:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x6da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x69c:$s7: DEL /s "%s" >nul 2>&1
Process Memory Space: ytgzVtg25k.exe PID: 6164	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: ytgzVtg25k.exe PID: 6164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ytgzVtg25k.exe PID: 6164	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
Process Memory Space: ytgzVtg25k.exe PID: 6164	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x220a:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x112f5:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1c43:$a2: \Login Data 0x1c6c:$a2: \Login Data 0x1c96:$a2: \Login Data 0x1d0b:$a2: \Login Data 0x1d33:$a2: \Login Data 0x1d5c:$a2: \Login Data 0x10d63:$a2: \Login Data 0x10d8c:$a2: \Login Data 0x10db6:$a2: \Login Data 0x10e2b:$a2: \Login Data 0x10e53:$a2: \Login Data 0x10e7c:$a2: \Login Data
Process Memory Space: ytgzVtg25k.exe PID: 6164	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0xfd0c:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x1d72f:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0xfd6f:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1d792:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x2203:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x112ee:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1fcd:$s6: %s\%s.bat 0x110c6:$s6: %s\%s.bat 0xfd31:$s7: DEL /s "%s" >nul 2>&1 0x1d754:$s7: DEL /s "%s" >nul 2>&1
Process Memory Space: ytgzVtg25k.exe PID: 6164	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x21f0:$exe1: %.2d-%.2d-%.4d 0x232e:$exe1: %.2d-%.2d-%.4d 0x248a:$exe1: %.2d-%.2d-%.4d 0x112db:$exe1: %.2d-%.2d-%.4d 0x11419:$exe1: %.2d-%.2d-%.4d 0x11575:$exe1: %.2d-%.2d-%.4d 0x21ee:$exe2: %s%.2d-%.2d-%.4d 0x2488:$exe2: %s%.2d-%.2d-%.4d 0x112d9:$exe2: %s%.2d-%.2d-%.4d 0x11573:$exe2: %s%.2d-%.2d-%.4d 0x2203:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x112ee:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x2324:$exe4: wcnwClass 0x247d:$exe4: wcnwClass 0x1140f:$exe4: wcnwClass 0x11568:$exe4: wcnwClass 0x22e7:$exe5: [Ctrl+%c] 0x243e:$exe5: [Ctrl+%c] 0x113d2:$exe5: [Ctrl+%c] 0x11529:$exe5: [Ctrl+%c] 0x1da5:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions
Process Memory Space: ytgzVtg25k.exe PID: 6164	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x21a1:$str2: %d:%I64u:%s%s; 0x21cb:$str2: %d:%I64u:%s%s; 0x1128c:$str2: %d:%I64u:%s%s; 0x112b6:$str2: %d:%I64u:%s%s; 0x21ee:$str3: %s%.2d-%.2d-%.4d 0x2488:$str3: %s%.2d-%.2d-%.4d 0x112d9:$str3: %s%.2d-%.2d-%.4d 0x11573:$str3: %s%.2d-%.2d-%.4d 0x2203:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x112ee:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x220b:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x24e9:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xfe4a:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xfe70:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1009f:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x112f6:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1d87d:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1d8a3:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1dad2:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x2228:$klg1: [Backspace] 0x2392:$klg1: [Backspace]
Process Memory Space: ytgzVtg25k.exe PID: 6164	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x101ea:$v2: mozsqlite3 0x104f8:$v2: mozsqlite3 0x1dc1d:$v2: mozsqlite3 0x1df2b:$v2: mozsqlite3 0x22c1:$v3: [Scroll Lock] 0x241c:$v3: [Scroll Lock] 0x113ac:$v3: [Scroll Lock] 0x11507:$v3: [Scroll Lock] 0x2314:$v4: GetRawInputData 0x246e:$v4: GetRawInputData 0x113ff:$v4: GetRawInputData 0x11559:$v4: GetRawInputData 0xfd0c:$ping: ping 192.0.2.2 0x1d72f:$ping: ping 192.0.2.2
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ytgzVtg25k.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0.2.ytgzVtg25k.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ytgzVtg25k.exe.400000.0.unpack	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
0.2.ytgzVtg25k.exe.400000.0.unpack	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x472d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
0.2.ytgzVtg25k.exe.400000.0.unpack	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x13874:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x134b6:$a2: \Login Data 0x134e1:$a2: \Login Data 0x1350e:$a2: \Login Data
0.2.ytgzVtg25k.exe.400000.0.unpack	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x134f0:$s3: %s\Opera Software\Opera Stable\Login Data 0x130a3:$s4: select * from moz_logins 0x13494:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x134c4:$s9: %s\Chromium\User Data\Default\Login Data 0x13114:$s10: %s\Opera\Opera\profile\wand.dat
0.2.ytgzVtg25k.exe.400000.0.unpack	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x12877:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x128da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1386d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x136e5:$s6: %s\%s.bat 0x1289c:$s7: DEL /s "%s" >nul 2>&1
0.2.ytgzVtg25k.exe.400000.0.unpack	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x1385a:$exe1: %.2d-%.2d-%.4d 0x139a7:$exe1: %.2d-%.2d-%.4d 0x13858:$exe2: %s%.2d-%.2d-%.4d 0x1386d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x13998:$exe4: wcnwClass 0x13953:$exe5: [Ctrl+%c] 0x13574:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0x13139:$exe7: %s\.purple\accounts.xml
0.2.ytgzVtg25k.exe.400000.0.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x13800:$str2: %d:%I64u:%s%s; 0x13858:$str3: %s%.2d-%.2d-%.4d 0x1386d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x12d62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13875:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13a16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13894:$klg1: [Backspace] 0x138a0:$klg2: [Enter] 0x138a8:$klg3: [Tab] 0x138ae:$klg4: [Arrow Left] 0x138bb:$klg5: [Arrow Up] 0x138c6:$klg6: [Arrow Right] 0x138d4:$klg7: [Arrow Down] 0x138e1:$klg8: [Home] 0x138e8:$klg9: [Page Up] 0x138f2:$klg10: [Page Down] 0x138fe:$klg11: [End] 0x13904:$klg12: [Break] 0x1390c:$klg13: [Delete] 0x13915:$klg14: [Insert]
0.2.ytgzVtg25k.exe.400000.0.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x12ec8:$v2: mozsqlite3 0x1392d:$v3: [Scroll Lock] 0x13988:$v4: GetRawInputData 0x12877:$ping: ping 192.0.2.2
0.0.ytgzVtg25k.exe.400000.0.unpack	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
0.0.ytgzVtg25k.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.ytgzVtg25k.exe.400000.0.unpack	JoeSecurity_Netwire	Yara detected Netwire RAT	Joe Security
0.0.ytgzVtg25k.exe.400000.0.unpack	Windows_Trojan_Netwire_6a7df287	unknown	unknown	0x472d:$a: 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C
0.0.ytgzVtg25k.exe.400000.0.unpack	Windows_Trojan_Netwire_1b43df38	unknown	unknown	0x13874:$a1: [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x134b6:$a2: \Login Data 0x134e1:$a2: \Login Data 0x1350e:$a2: \Login Data
0.0.ytgzVtg25k.exe.400000.0.unpack	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x134f0:$s3: %s\Opera Software\Opera Stable\Login Data 0x130a3:$s4: select * from moz_logins 0x13494:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x134c4:$s9: %s\Chromium\User Data\Default\Login Data 0x13114:$s10: %s\Opera\Opera\profile\wand.dat
0.0.ytgzVtg25k.exe.400000.0.unpack	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x12877:$s2: ping 192.0.2.2 -n 1 -w %d >nul 2>&1 0x128da:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x1386d:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x136e5:$s6: %s\%s.bat 0x1289c:$s7: DEL /s "%s" >nul 2>&1
0.0.ytgzVtg25k.exe.400000.0.unpack	RAT_NetWire	Detects NetWire RAT	Kevin Breen <kevin@techanarchy.net> & David Cannings	0x1385a:$exe1: %.2d-%.2d-%.4d 0x139a7:$exe1: %.2d-%.2d-%.4d 0x13858:$exe2: %s%.2d-%.2d-%.4d 0x1386d:$exe3: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x13998:$exe4: wcnwClass 0x13953:$exe5: [Ctrl+%c] 0x13574:$exe6: SYSTEM\CurrentControlSet\Control\ProductOptions 0x13139:$exe7: %s\.purple\accounts.xml
0.0.ytgzVtg25k.exe.400000.0.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x13800:$str2: %d:%I64u:%s%s; 0x13858:$str3: %s%.2d-%.2d-%.4d 0x1386d:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x12b6c:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x12d62:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13875:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13a16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x13894:$klg1: [Backspace] 0x138a0:$klg2: [Enter] 0x138a8:$klg3: [Tab] 0x138ae:$klg4: [Arrow Left] 0x138bb:$klg5: [Arrow Up] 0x138c6:$klg6: [Arrow Right] 0x138d4:$klg7: [Arrow Down] 0x138e1:$klg8: [Home] 0x138e8:$klg9: [Page Up] 0x138f2:$klg10: [Page Down] 0x138fe:$klg11: [End] 0x13904:$klg12: [Break] 0x1390c:$klg13: [Delete] 0x13915:$klg14: [Insert]
0.0.ytgzVtg25k.exe.400000.0.unpack	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x12ec8:$v2: mozsqlite3 0x1392d:$v3: [Scroll Lock] 0x13988:$v4: GetRawInputData 0x12877:$ping: ping 192.0.2.2
Click to see the 15 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ytgzVtg25k.exe

Avira: detected

Found malware configuration

Source: 0.2.ytgzVtg25k.exe.400000.0.unpack

Malware Configuration Extractor: NetWire {"C2 list": ["86t7b9br9.ddns.net:8980"], "Password": "4678553478654HJKGHKJGHKJG4543", "Host ID": "HostId-MAm4sa", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-", "KeyLog Directory": "-"}

Multi AV Scanner detection for submitted file

Source: ytgzVtg25k.exe	ReversingLabs: Detection: 97%
Source: ytgzVtg25k.exe	Virustotal: Detection: 91%			Perma Link

Machine Learning detection for sample

Source: ytgzVtg25k.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040A07F CryptUnprotectData,LocalFree,	0_2_0040A07F
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004080D4 RegOpenKeyExA,RegOpenKeyExA,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	0_2_004080D4
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen,	0_2_00408D46
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00408971 RegQueryValueExA,CryptUnprotectData,LocalFree,	0_2_00408971
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004087B6 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_004087B6

Source: ytgzVtg25k.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040D054 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040D054
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040947B SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose,	0_2_0040947B
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00404C1F SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_00404C1F
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004045AC SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_004045AC
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00404305 SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose,	0_2_00404305

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_00412640 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

0_2_00412640

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 86t7b9br9.ddns.net:8980

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_00403877 send,recv,htons,send,recv,

0_2_00403877

Source: Amcache.hve.6.dr

String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040FD21 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,

0_2_0040FD21

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_004061D0 GetSystemMetrics,GetSystemMetrics,GetDesktopWindow,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetDIBits,malloc,GetDIBits,ReleaseDC,DeleteDC,DeleteObject,

0_2_004061D0

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040FD21 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,

0_2_0040FD21

Source: ytgzVtg25k.exe, 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_8b0cc14f-b

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040FD21 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,GetKeyState,MapVirtualKeyA,GetKeyNameTextA,GetKeyState,

0_2_0040FD21

System Summary

Malicious sample detected (through community Yara rule)

Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1644544695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 Author: unknown
Source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 Author: unknown
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: Detects NetWire RAT Author: Kevin Breen <kevin@techanarchy.net> & David Cannings
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 70E80000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 71E50000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 73A90000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 77040000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 72E20000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76860000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 73610000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 74A60000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75550000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 73810000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 74C60000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75100000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 752C0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75750000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76360000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 73910000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75200000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 753C0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75850000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76460000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 765D0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76C60000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 73990000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 758D0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75AF0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 75B70000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 764E0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76CE0000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76E20000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76520000 page read and write	Jump to behavior
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Memory allocated: 76650000 page read and write	Jump to behavior

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040E4C4	0_2_0040E4C4
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00411D8F	0_2_00411D8F
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040E190	0_2_0040E190
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00411614	0_2_00411614
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040E6A3	0_2_0040E6A3
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040EB76	0_2_0040EB76
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00402BE6	0_2_00402BE6

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 380

Source: ytgzVtg25k.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: ytgzVtg25k.exe, type: SAMPLE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.1644544695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Netwire_6a7df287 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 85051a0b94da4388eaead4c4f4b2d16d4a5eb50c3c938b3daf5c299c9c12f1e6, id = 6a7df287-1656-4779-9a96-c0ab536ae86a, last_modified = 2021-08-23
Source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: Windows_Trojan_Netwire_1b43df38 reference_sample = e6f446dbefd4469b6c4d24988dd6c9ccd331c8b36bdbc4aaf2e5fc49de2c3254, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Netwire, fingerprint = 4142ea14157939dc23b8d1f5d83182aef3a5877d2506722f7a2706b7cb475b76, id = 1b43df38-886e-4f58-954a-a09f30f19907, last_modified = 2021-08-23
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: RAT_NetWire date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net> & David Cannings, maltype = Remote Access Trojan, description = Detects NetWire RAT, reference = http://malwareconfig.com/stats/NetWire
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR	Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_00412640 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

0_2_00412640

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_004120BC CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_004120BC

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6164

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b6b74e6b-41bb-4bb7-9cf4-dd8aaa0e9649

Jump to behavior

Source: ytgzVtg25k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ytgzVtg25k.exe	ReversingLabs: Detection: 97%
Source: ytgzVtg25k.exe	Virustotal: Detection: 91%

Source: unknown	Process created: C:\Users\user\Desktop\ytgzVtg25k.exe "C:\Users\user\Desktop\ytgzVtg25k.exe"
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 380

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen,

0_2_00408D46

Source: ytgzVtg25k.exe

Static PE information: real checksum: 0x22a50 should be: 0x21b67

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040491C push edi; mov dword ptr [esp], eax	0_2_004049DB
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040FD21 push ecx; mov dword ptr [esp], 00000091h	0_2_0040FD3C
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040FD21 push eax; mov dword ptr [esp], esi	0_2_0040FD5C
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040D9C2 push ecx; mov dword ptr [esp], ebx	0_2_0040D9EE
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004061D0 push edx; mov dword ptr [esp], eax	0_2_00406464
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004049EC push ecx; mov dword ptr [esp], ebx	0_2_00404A1A
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004111FE push ecx; mov dword ptr [esp], eax	0_2_004113ED
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00410182 push eax; mov dword ptr [esp], ebx	0_2_004102E2
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040FA98 push eax; mov dword ptr [esp], 004186C0h	0_2_0040FB46

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-4794

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-4924

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-4839

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

API coverage: 0.8 %

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040D054 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040D054
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_0040947B SetErrorMode,FindFirstFileA,strlen,FindNextFileA,FindClose,	0_2_0040947B
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00404C1F SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_00404C1F
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_004045AC SetErrorMode,FindFirstFileA,FindClose,FindNextFileA,	0_2_004045AC
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	Code function: 0_2_00404305 SetErrorMode,FindFirstFileA,FileTimeToSystemTime,FindNextFileA,FindClose,	0_2_00404305

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_00412640 SetErrorMode,GetLogicalDriveStringsA,GetVolumeInformationA,GetDiskFreeSpaceExA,GetDriveTypeA,

0_2_00412640

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040B8A4 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_0040B8A4

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ytgzVtg25k.exe, 00000000.00000002.2061663525.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\ytgzVtg25k.exe	API call chain: ExitProcess graph end node	graph_0-4684
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	API call chain: ExitProcess graph end node	graph_0-5001
Source: C:\Users\user\Desktop\ytgzVtg25k.exe	API call chain: ExitProcess graph end node	graph_0-4657

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_00408D46 LoadLibraryA,GetProcAddress,GetProcAddress,CryptUnprotectData,strlen,

0_2_00408D46

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040658F keybd_event,

0_2_0040658F

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_004065ED SetCursorPos,mouse_event,

0_2_004065ED

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040FC58 GetForegroundWindow,GetLocalTime,GetWindowTextA,

0_2_0040FC58

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040B849 getenv,GetUserNameA,

0_2_0040B849

Source: C:\Users\user\Desktop\ytgzVtg25k.exe

Code function: 0_2_0040B8A4 GetVersionExA,GetVersionExA,GetSystemInfo,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

0_2_0040B8A4

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: ytgzVtg25k.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR

Remote Access Functionality

Yara detected NetWire RAT

Source: Yara match	File source: ytgzVtg25k.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR

Yara detected Netwire RAT

Source: Yara match	File source: ytgzVtg25k.exe, type: SAMPLE
Source: Yara match	File source: 0.2.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.ytgzVtg25k.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ytgzVtg25k.exe PID: 6164, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	131 Input Capture	1 System Time Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	131 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	5 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ytgzVtg25k.exe	97%	ReversingLabs	Win32.Backdoor.NetWiredRc
ytgzVtg25k.exe	92%	Virustotal		Browse
ytgzVtg25k.exe	100%	Avira	TR/Spy.Gen
ytgzVtg25k.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
86t7b9br9.ddns.net:8980	0%	Avira URL Cloud	safe
86t7b9br9.ddns.net:8980	3%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
86t7b9br9.ddns.net:8980	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447654
Start date and time:	2024-05-26 10:52:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ytgzVtg25k.exe renamed because original name is a hash value
Original Sample Name:	8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
04:53:35	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ytgzVtg25k.exe_d13bec3fd875e785eec1458ce3a188254910e443_5729f537_3cc227f8-2f14-4289-aee1-7b0f1e0ebc5f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7346931607260482
Encrypted:	false
SSDEEP:	192:hODIpLGEM0x+bH08CjYqzuiF4Z24IO8P/:KsqEHxS08CjdzuiF4Y4IO8P/
MD5:	53B483EA15DADA7AB13B97ED26AE9825
SHA1:	6F764300DC29422DC620B9453F3DF69BF0BE0E9F
SHA-256:	EFB473B3EAB4AD2B2970B7D92F9F69941AFC18DBDEABF2F50085BAB82B294F6C
SHA-512:	2F6E7C7E6471AC35CF450D663E3E7E7F392A78BFAC81F0911BBEE9855930670B9F4E1E2EC34B33138A34D918599F7B2A4A03874F8205CA9796AFDB8D515F8A24
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.1.8.7.2.0.3.8.8.2.1.9.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.1.8.7.2.0.4.2.5.7.1.9.8.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.c.2.2.7.f.8.-.2.f.1.4.-.4.2.8.9.-.a.e.e.1.-.7.b.0.f.1.e.0.e.b.c.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.a.f.4.0.a.9.-.0.e.4.4.-.4.6.1.8.-.8.2.b.f.-.3.e.5.d.8.e.e.3.5.1.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.y.t.g.z.V.t.g.2.5.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.4.-.0.0.0.1.-.0.0.1.4.-.c.d.8.1.-.9.5.1.8.4.a.a.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.2.a.5.0.0.c.0.2.0.9.3.5.b.8.3.c.b.e.8.a.0.f.b.e.9.1.3.7.f.a.2.0.0.0.0.f.f.f.f.!.0.0.0.0.9.3.e.f.9.3.5.f.c.9.0.4.1.c.0.f.3.7.b.c.2.c.b.6.d.6.0.e.2.5.9.1.e.3.3.c.c.8.6.e.!.y.t.g.z.V.t.g.2.5.k...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0DB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun May 26 08:53:23 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	34456
Entropy (8bit):	2.009357268603733
Encrypted:	false
SSDEEP:	96:5k8g5OV6IOXBsOcBAJZqr6hi7WVTWF3vm2YrC5oK3vlo51krNOHCONWIkWI0YIMM:hgVRM8ODvm2YrfK3s8NmCOyjbDjWMq
MD5:	93CD9D9A706F31DCA0E9E5DC3AFFBF5F
SHA1:	C759B8A08E76C32C3F6F5710D37BA1FBBB3DB14E
SHA-256:	DCF627CE23D103A9E45D73FDBD99D940EE3609641CB6FF213457285C2D732C20
SHA-512:	0578BE2C683F8749CAEB0B8944E71B0D41EA7385F58840609A0EB8EC2F345F924D600D0EFD7B200D73A9F22AAD3C9F891D1F91BC25949272498ECE660A1E02F0
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........Rf........................t................ ..........T.......8...........T...........`...8w......................................................................................................eJ..............GenuineIntel............T...........e.Rf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE14A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8364
Entropy (8bit):	3.692347182166643
Encrypted:	false
SSDEEP:	192:R6l7wVeJdv6VyWeYU6Y9ZSU9sWgmf8sbWDbpDG89bPOKsfnDLlm:R6lXJF6VyWej6YDSU9sWgmf8R9POpfDk
MD5:	4AA148A19BEC9B919A246D3285EB9B81
SHA1:	767F4A63CC30043324175F978C4848BA0CC3A004
SHA-256:	775E4D84C56CC869317EE9771BA4A9DA14D8CCB4669A3C0C31F2C93299EA5A57
SHA-512:	C05660FB910C12E21281F3E2884A3603827DC21DA4E96A7EF3F3DD16B8A4F9182DFACCA7AF7AC3A5902F45B4DDB27B83AF189856437C1A3E9AB9D8FC242379AD
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.45716840501857
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHsJg77aI9x2WpW8VYgYm8M4JalGpDJFv/+q8XDAFDdSz2Awzydd:uIjfKI7fX7VgJyGlDCD0DdSz2Rzydd
MD5:	A32D7D4144FE10969FF29470D4DEBF4D
SHA1:	E15DEFC4C889FD6EF3B6D70CEA445399B76A14E5
SHA-256:	F7D9D8B3BD14ED730304F960F83089888F11218DA0852EA188AD1ABCCDF9D6B5
SHA-512:	5232A99B943E2BF526DE1C0DBA3FA20F5BF858E0009C0092BE7C8DBF11DC03346D3AB0EF4B0DD176DFB5C17B80D304A93E4CB60510F97FE4639DD96550E08F0D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="339836" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465443399735992
Encrypted:	false
SSDEEP:	6144:8IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNrdwBCswSba:BXD94+WlLZMM6YFHd+a
MD5:	0742A2E52D384EE87C5779C75719583F
SHA1:	DB2260C98BEF78155C7B9777C4A43C26DE984308
SHA-256:	0D0DD8A589CA7C2FF560DA3C8E4858D45DCF7C1AA8B5DFD8F74FDD1A79F1951D
SHA-512:	5F8AD80B41B57661E37BF3F01EC909B5467CD9B6F5CFC88532A2D193AAB8AE6549BDB505B1C507ACB8AAE77E99B72F4D203B4E9C635FBB35371BBEFC85299BA8
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn..*J...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.186277243362521
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ytgzVtg25k.exe
File size:	86'016 bytes
MD5:	02249b59bff7fa6b932d09cce70dc5b8
SHA1:	93ef935fc9041c0f37bc2cb6d60e2591e33cc86e
SHA256:	8dfa86ab54225a8e1c2027172d71cebf13dfa2e622ac9cc06fe1058b6be3ff20
SHA512:	948339aafc124fdc15c152f1eccefa2ad5ebfd732b71bbb6bebd832bb61296027b494d0fddf18e5347c798e91c3fcc0ab000f54362dcc4012da777148923961b
SSDEEP:	1536:7Lp3YvQCGQ10ismSklVI8VjCX1Isv3fA9qeRgLHsbg/+ySr1Ra:7Lp3Yvhn9VI8VjCX1I43fAwegLMbrO
TLSH:	FD83D619FA0BE0F2EE4E1D7162CBF6AF4B786920D864CE41DF840D43EA53D536219B94
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.\V...............8.........d...!.......0....@.................................P*........ ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4021da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x565C9161 [Mon Nov 30 18:11:45 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	eaf9915d2b5730c3717ea003bd93404a

Entrypoint Preview

Instruction
push ebp
mov eax, 0000103Ch
push edi
push esi
push ebx
call 00007F7460827109h
sub esp, eax
call 00007F746081835Ah
lea ebp, dword ptr [esp+28h]
call 00007F7460824119h
lea ebx, dword ptr [esp+2Ch]
call 00007F746082386Ch
call 00007F74608217B7h
call 00007F7460820F15h
call 00007F7460821399h
mov dword ptr [esp+2Ch], FFFFFFFFh
mov eax, dword ptr [esp+2Ch]
mov dword ptr [esp+08h], 00000004h
mov dword ptr [esp+04h], ebp
mov dword ptr [esp+28h], 00000000h
mov dword ptr [esp], eax
call 00007F74608189D9h
test al, al
je 00007F7460816A9Fh
mov edi, dword ptr [esp+28h]
mov esi, dword ptr [esp+2Ch]
mov dword ptr [esp+04h], edi
mov dword ptr [esp], esi
call 00007F7460816937h
test al, al
je 00007F74608169B2h
lea eax, dword ptr [esp+30h]
mov dword ptr [esp+08h], edi
mov dword ptr [esp+04h], eax
mov dword ptr [esp], esi
call 00007F74608189A5h
test al, al
je 00007F7460816A5Ah
mov esi, dword ptr [esp+28h]
cmp esi, 00000FFFh
jnbe 00007F74608169F7h
mov byte ptr [esp+esi+30h], 00000000h
movzx edx, byte ptr [esp+30h]
mov edi, dword ptr [esp+2Ch]
mov dword ptr [esp+04h], edx
mov dword ptr [esp], edi
mov dword ptr [esp+1Ch], edx
call 00007F7460816918h
mov edx, dword ptr [esp+1Ch]
test al, al
jne 00007F7460816A0Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c000	0x10fc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c30c	0x258	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11da8	0x11e00	28ed0d155e1e65b4e9fa75ca25b08d36	False	0.48537204982517484	data	5.977643066137705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x13000	0x1a7c	0x1c00	d928a8e6030ae25ed51ed2929cf55a93	False	0.5775669642857143	data	6.348388745913756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x15000	0x63f0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1c000	0x10fc	0x1200	1c5eecb94befaaec442aaa260dde1560	False	0.5158420138888888	data	5.623593330498326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
ADVAPI32.DLL	CryptAcquireContextA, CryptCreateHash, CryptDestroyHash, CryptGetHashParam, CryptHashData, CryptReleaseContext, GetUserNameA, RegCloseKey, RegCreateKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegEnumValueA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA
CRYPT32.DLL	CryptUnprotectData
GDI32.dll	BitBlt, CreateCompatibleBitmap, CreateCompatibleDC, DeleteDC, DeleteObject, GetDIBits, SelectObject
KERNEL32.dll	CloseHandle, CreateDirectoryA, CreateFileA, CreateMutexA, CreatePipe, CreateProcessA, CreateToolhelp32Snapshot, DeleteFileA, EnterCriticalSection, ExitProcess, FileTimeToSystemTime, FindClose, FindFirstFileA, FindNextFileA, FreeLibrary, GetCommandLineA, GetComputerNameA, GetCurrentProcessId, GetCurrentThreadId, GetDiskFreeSpaceExA, GetDriveTypeA, GetFileAttributesA, GetFileAttributesExA, GetLastError, GetLocalTime, GetLogicalDriveStringsA, GetModuleFileNameA, GetProcAddress, GetProcessTimes, GetStartupInfoA, GetSystemInfo, GetSystemTime, GetTickCount, GetVersionExA, GetVolumeInformationA, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LocalFree, MoveFileA, OpenProcess, PeekNamedPipe, Process32First, Process32Next, ReadFile, ReleaseMutex, ResumeThread, SetErrorMode, SetFileAttributesA, SetFilePointer, Sleep, TerminateProcess, WideCharToMultiByte, WriteFile
msvcrt.dll	_beginthreadex, _filelengthi64, _vscprintf, _vsnprintf, fclose, fflush, fgetpos, fgets, fopen, fread, free, fsetpos, fwrite, getenv, malloc, realloc, strlen
SHELL32.DLL	SHGetPathFromIDListA, SHGetSpecialFolderLocation
USER32.dll	CreateWindowExA, DefWindowProcA, DispatchMessageA, EnumWindows, GetDC, GetDesktopWindow, GetForegroundWindow, GetKeyNameTextA, GetKeyState, GetKeyboardState, GetMessageA, GetSystemMetrics, GetWindowTextA, IsWindowVisible, MapVirtualKeyA, PostQuitMessage, RegisterClassExA, ReleaseDC, SendMessageA, SetCursorPos, SetWindowTextA, ShowWindow, ToAscii, TranslateMessage, keybd_event, mouse_event
WS2_32.dll	WSACleanup, WSAGetLastError, WSAIoctl, WSAStartup, __WSAFDIsSet, closesocket, connect, gethostbyname, gethostname, htons, inet_ntoa, ioctlsocket, ntohs, recv, select, send, setsockopt, shutdown, socket

Target ID:	0
Start time:	04:52:53
Start date:	26/05/2024
Path:	C:\Users\user\Desktop\ytgzVtg25k.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ytgzVtg25k.exe"
Imagebase:	0x400000
File size:	86'016 bytes
MD5 hash:	02249B59BFF7FA6B932D09CCE70DC5B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: NetWiredRC_B, Description: NetWiredRC, Source: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Netwire, Description: Yara detected Netwire RAT, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Netwire_1b43df38, Description: unknown, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: RAT_NetWire, Description: Detects NetWire RAT, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> & David Cannings Rule: NetWiredRC_B, Description: NetWiredRC, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: netwire, Description: detect netwire in memory, Source: 00000000.00000000.1644578754.0000000000413000.00000008.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group Rule: Windows_Trojan_Netwire_6a7df287, Description: unknown, Source: 00000000.00000000.1644544695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Netwire_6a7df287, Description: unknown, Source: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:53:23
Start date:	26/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 380
Imagebase:	0x500000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	1627
Total number of Limit Nodes:	2

Executed Functions

Function 0040C72B Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040C747
malloc.MSVCRT ref: 0040C7FC
malloc.MSVCRT ref: 0040C853

Strings

@, xrefs: 0040C8AD
:, xrefs: 0040C8BD
l4A, xrefs: 0040C829

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: malloc
String ID: :$@$l4A
API String ID: 2803490479-2178790103
Opcode ID: b83cbc6a64ff352804b9bfddee4ddf57693cdf8cfb53a6cb52c0b83734f20869
Instruction ID: f932696bdea0e9fbbb3abfc95eb8d80010f47caf81c3293b5a6935d0f1b39213
Opcode Fuzzy Hash: b83cbc6a64ff352804b9bfddee4ddf57693cdf8cfb53a6cb52c0b83734f20869
Instruction Fuzzy Hash: 0751F5B04087049FD701EF26C48425EBBE0FB84348F11C92EE5E89B392DBB99545CF8A

Function 00403B54 Relevance: 4.5, APIs: 3, Instructions: 18
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00403B6E
ExitProcess.KERNEL32 ref: 00403B80
InitializeCriticalSection.KERNEL32 ref: 00403B8C

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CriticalExitInitializeProcessSectionStartup
String ID:
API String ID: 3456047655-0
Opcode ID: 63ff5738400b76bf3aba5b293504b0f52e0bb6060e5d5d878e74598d1dd7f8c0
Instruction ID: 1f216b37b12b0f72473575d17fb5684b7e683a454140a5030794b2cc63ffedef
Opcode Fuzzy Hash: 63ff5738400b76bf3aba5b293504b0f52e0bb6060e5d5d878e74598d1dd7f8c0
Instruction Fuzzy Hash: 01D012B02043045AE7907F69D9067ABB6FC9B41709F00445F68C4D2242EBFC98958667

Function 004021DA Relevance: .1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Processmalloc$CurrentExit$CountCriticalInitializeSectionStartupThreadTick
String ID:
API String ID: 1809231239-0
Opcode ID: 101377c076011302767dfb9f751ca096f28e4f94a2a092162b949ab9b24beb94
Instruction ID: 142c39be9d2d5e3745f822b90aca99a9f7cf19e8943649cfdd8a405ec8ab76f6
Opcode Fuzzy Hash: 101377c076011302767dfb9f751ca096f28e4f94a2a092162b949ab9b24beb94
Instruction Fuzzy Hash: F931FBB04087408AC710BFA6818561EFBE4AF84358F054A7FF8D4772D2C7B895468B5B

Non-executed Functions

Function 004061D0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004061F9
GetSystemMetrics.USER32 ref: 00406208
GetDesktopWindow.USER32 ref: 00406210
GetDC.USER32 ref: 00406231
CreateCompatibleDC.GDI32 ref: 0040623C
CreateCompatibleBitmap.GDI32 ref: 00406250
SelectObject.GDI32 ref: 0040627F
BitBlt.GDI32 ref: 004062C0
GetDIBits.GDI32 ref: 00406344
malloc.MSVCRT ref: 004063AF
GetDIBits.GDI32 ref: 004063EB
ReleaseDC.USER32 ref: 0040644E
DeleteDC.GDI32(00000000), ref: 0040645B
DeleteObject.GDI32 ref: 00406467

Strings

(, xrefs: 0040641B
(, xrefs: 0040638E
, xrefs: 00406289
BM, xrefs: 0040635A
6, xrefs: 00406377

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: BitsCompatibleCreateDeleteMetricsObjectSystem$BitmapDesktopReleaseSelectWindowmalloc
String ID: $($($6$BM
API String ID: 3568129938-2637400849
Opcode ID: 181f89d6ae9e89f7e295e51894366df1a79d8c5fc48be972af6e57f5eaa62152
Instruction ID: 266a23183267d1046fc9d9c225dd37840db50443dff86e0b9bb452c3212cbd7b
Opcode Fuzzy Hash: 181f89d6ae9e89f7e295e51894366df1a79d8c5fc48be972af6e57f5eaa62152
Instruction Fuzzy Hash: FE81A5B09083059FDB00EFA9D58579EBBF4BF44344F01882EE888EB351E7789995CB56

Function 0040FD21 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 183
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyState.USER32 ref: 0040FD36
GetKeyState.USER32 ref: 0040FD43
GetKeyState.USER32 ref: 0040FD56
GetKeyboardState.USER32(00000000), ref: 0040FD5F
MapVirtualKeyA.USER32(00000000,00000000), ref: 0040FF0E
ToAscii.USER32 ref: 0040FF32
GetKeyState.USER32 ref: 0040FF44
MapVirtualKeyA.USER32 ref: 0040FF88
GetKeyNameTextA.USER32 ref: 0040FFA1
GetKeyState.USER32 ref: 0040FFB4

Strings

`GA, xrefs: 0040FFE0
, xrefs: 0040FFE8

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: State$Virtual$AsciiKeyboardNameText
String ID: $`GA
API String ID: 2992186895-3733422996
Opcode ID: eb52b18bba3e4d925d6e9d22f1429ef7a14ed76e712acfa9fac7246c6a0998f4
Instruction ID: 80565416b984be0d3f78b850c93890a41459460eba26d941ea0aad13ddd5b4af
Opcode Fuzzy Hash: eb52b18bba3e4d925d6e9d22f1429ef7a14ed76e712acfa9fac7246c6a0998f4
Instruction Fuzzy Hash: B46135B14083019AD7309F14D5C429FBAE4EF86348F61C53FE48966AA2D3BD45C98B8F

Function 004080D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 279
registryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00408133
RegOpenKeyExA.ADVAPI32 ref: 004081A3
CryptUnprotectData.CRYPT32 ref: 004084D3
LocalFree.KERNEL32 ref: 0040850A
RegEnumKeyExA.ADVAPI32 ref: 004085FA
RegCloseKey.ADVAPI32 ref: 00408613

Strings

R@A, xrefs: 00408554
i<A, xrefs: 0040815D
?, xrefs: 00408182

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Open$CloseCryptDataEnumFreeLocalUnprotect
String ID: ?$R@A$i<A
API String ID: 465718330-2923574325
Opcode ID: 9d8d3a0d1ece565365071117d4f44f17b8d588ba342fe06ff15d4423da111424
Instruction ID: c2495c30ca7efd79f8dcd7662a936437fd26801a372f492a6e9eb2653917f24a
Opcode Fuzzy Hash: 9d8d3a0d1ece565365071117d4f44f17b8d588ba342fe06ff15d4423da111424
Instruction Fuzzy Hash: C9E1ABB08093169FCB10DF65C54469EFBF0BF88314F00C96EE488A7251D7B89A89DF96

Function 0040B8A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 0040B8DA
GetVersionExA.KERNEL32 ref: 0040B921
GetSystemInfo.KERNEL32 ref: 0040B934

Strings

P, xrefs: 0040BB7F
A, xrefs: 0040B9AB
tCA, xrefs: 0040BB00

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Version$InfoSystem
String ID: A$P$tCA
API String ID: 731687086-2098838653
Opcode ID: 9ff25001332db28a4cba43fe2e3603d7148304719e311cce78e5d16147e7a9e5
Instruction ID: 213f5c7581ae602c04361a2c582c44ae70c7d1d104af1192d7f0063fb23a7b35
Opcode Fuzzy Hash: 9ff25001332db28a4cba43fe2e3603d7148304719e311cce78e5d16147e7a9e5
Instruction Fuzzy Hash: 28816274A082488AEB249B28C5453AFB6A0EB82304F14487FD585F7381D77D89C5DF9F

Function 00408D46 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142libraryloaderencryptionCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00408D5D
GetProcAddress.KERNEL32 ref: 00408D76
GetProcAddress.KERNEL32 ref: 00408D8F
CryptUnprotectData.CRYPT32 ref: 00408EB3
strlen.MSVCRT ref: 00408ED9

Strings

$, xrefs: 00408DC7
yAA, xrefs: 00408F11
TAA, xrefs: 00408DA6
J, xrefs: 00408DD6

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AddressProc$CryptDataLibraryLoadUnprotectstrlen
String ID: $$J$TAA$yAA
API String ID: 3252690914-3341814342
Opcode ID: dee79b657d048a92c128fd807979512fe649fcd34e8697addc6dec66ea951e89
Instruction ID: 0d44d37ccb953c5ce8451930b2e0d927d54d6dc613895bc50854d86488a5e919
Opcode Fuzzy Hash: dee79b657d048a92c128fd807979512fe649fcd34e8697addc6dec66ea951e89
Instruction Fuzzy Hash: 8461E1B0D042199FCB10DF68C584B8EBBF0BF48304F0085AAE498A7351E7789A89CF46

Function 00412640 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00411EE0: malloc.MSVCRT ref: 00411EF0

SetErrorMode.KERNEL32 ref: 0041266F
GetLogicalDriveStringsA.KERNEL32 ref: 00412680
GetVolumeInformationA.KERNEL32 ref: 00412744
GetDiskFreeSpaceExA.KERNEL32 ref: 0041279F
GetDriveTypeA.KERNEL32 ref: 00412833

Strings

S, xrefs: 004128D7
PJA, xrefs: 004127E4
[JA, xrefs: 00412877

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Drive$DiskErrorFreeInformationLogicalModeSpaceStringsTypeVolumemalloc
String ID: PJA$S$[JA
API String ID: 4103324456-1761618106
Opcode ID: 9aabe946a61e41fee52c1eee580b3b3fdb41f05ef89c8c5d0f1c201d8a81c991
Instruction ID: 356039814e263398ffd4ce6cd742752868d75a7b6425d292464e317d17f25cc6
Opcode Fuzzy Hash: 9aabe946a61e41fee52c1eee580b3b3fdb41f05ef89c8c5d0f1c201d8a81c991
Instruction Fuzzy Hash: BE71C9B48093199FD715EF15C59479EFBF4BF84344F0089AEE48897351D7B88A848F86

Function 00404305 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158filetimeCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040431E
FindFirstFileA.KERNEL32 ref: 0040432E
FileTimeToSystemTime.KERNEL32 ref: 004043BC
FindNextFileA.KERNEL32 ref: 004044F7
FindClose.KERNEL32 ref: 00404509

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

l9A, xrefs: 004043E4
, xrefs: 004043EC

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: FileFind$CriticalSectionTime$CloseEnterErrorFirstLeaveModeNextSystem
String ID: $l9A
API String ID: 353538454-1713450632
Opcode ID: 98bc08f6b243b074ef08a4a373ac03dd52d83b39fe9c81a162ffe9445c34541c
Instruction ID: 1fc34434550e5242d9d5ba0645ad2f11a375c46af1ef1a3391ad130d418d873c
Opcode Fuzzy Hash: 98bc08f6b243b074ef08a4a373ac03dd52d83b39fe9c81a162ffe9445c34541c
Instruction Fuzzy Hash: 1571E4B49087159FC711DF25C4846AABBF4AF84744F00C9AEF8C8A7351E7789A84CF86

Function 004087B6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 00408805
CryptCreateHash.ADVAPI32 ref: 0040883C
CryptHashData.ADVAPI32 ref: 00408868
CryptGetHashParam.ADVAPI32 ref: 004088A3
CryptDestroyHash.ADVAPI32 ref: 0040894A
CryptReleaseContext.ADVAPI32 ref: 00408962

Strings

=AA, xrefs: 00408925

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
String ID: =AA
API String ID: 3186506766-994812051
Opcode ID: 2f6a475c9571eee0b807f023cad8654a9ca41767567a4e8f6473becba9cecbd4
Instruction ID: 43e913180013c81e561a4f03503189ea9849b0a11c57a370dc83b3bb8802f5fd
Opcode Fuzzy Hash: 2f6a475c9571eee0b807f023cad8654a9ca41767567a4e8f6473becba9cecbd4
Instruction Fuzzy Hash: D741C3F49083459BDB00EF69C5557AEBBF0AF84348F00C92EE8949B281D7B88558CF96

Function 00404C1F Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 00404DA2
FindFirstFileA.KERNEL32 ref: 00404DDC
FindClose.KERNEL32 ref: 00404E06
FindNextFileA.KERNEL32 ref: 0040500B

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Part of subcall function 0040481E: fopen.MSVCRT ref: 0040485C
Part of subcall function 0040481E: fread.MSVCRT ref: 00404895
Part of subcall function 0040481E: fclose.MSVCRT ref: 0040490C

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

L, xrefs: 0040503B
!, xrefs: 00404F66

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Find$CriticalFileSection$CloseEnterErrorFirstLeaveModeNext_vsnprintffclosefopenfread
String ID: !$L
API String ID: 2399339665-1212946904
Opcode ID: 520669d3c9e5167182d3218735a7a2b716ccb301ed5db82f3caaeeb510aa4600
Instruction ID: 396f7101ae688dc5a1daa98546f1596006a8bdfdd7540070ae8a870131a2037a
Opcode Fuzzy Hash: 520669d3c9e5167182d3218735a7a2b716ccb301ed5db82f3caaeeb510aa4600
Instruction Fuzzy Hash: 16B1B5B48087159FD710EF15C58469EBBF0EF84354F00C9AEE58CA7391D3789A889F4A

Function 0040947B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040948B

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

FindFirstFileA.KERNEL32 ref: 004094D5
FindNextFileA.KERNEL32 ref: 00409660
FindClose.KERNEL32 ref: 00409676

Strings

i<A, xrefs: 004095C1

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID: i<A
API String ID: 3730131509-3396280644
Opcode ID: 08d414c553bf70d7ecb26121772d48012eb50a6de60c5b71e8a3bb9334b8a2f3
Instruction ID: 634cb96f22232059071e44900e8d17bf50e35e5b716e0b5affd2cc289ba29c1d
Opcode Fuzzy Hash: 08d414c553bf70d7ecb26121772d48012eb50a6de60c5b71e8a3bb9334b8a2f3
Instruction Fuzzy Hash: 4251D9B49047099FCB50EF69C98569EBBF4AF44305F00896EE898E7341E778D984CF4A

Function 0040D054 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 0040D073

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

FindFirstFileA.KERNEL32 ref: 0040D0AF
FindNextFileA.KERNEL32 ref: 0040D21C
FindClose.KERNEL32 ref: 0040D240

Strings

EA, xrefs: 0040D0EC
EA, xrefs: 0040D083

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID: EA$EA
API String ID: 3730131509-2825276752
Opcode ID: 21ea41ee33ca27a9ba7a00c637488261db3e5fa5855e3697372241443351829d
Instruction ID: f5e0fac76b1629c5f19c698915ab5dd52894034e7796ffa824b2178f72c5ea18
Opcode Fuzzy Hash: 21ea41ee33ca27a9ba7a00c637488261db3e5fa5855e3697372241443351829d
Instruction Fuzzy Hash: 1351E5B48087159FCB10EF65C58069EBBF0EF84354F00C9AEE89CA7341D77899858F56

Function 00402BE6 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 464COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00402C40
malloc.MSVCRT ref: 00402C6F
malloc.MSVCRT ref: 00402DCF
malloc.MSVCRT ref: 00402E47

Strings

wA, xrefs: 00403316

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: malloc
String ID: wA
API String ID: 2803490479-2241071787
Opcode ID: f7590618486acb90a0b4045038a1b9980daa56503a97e3c65fc2a379a13d9216
Instruction ID: 1903f6f71b833f789e86fa46751705e409b3d32491f2a3118026c90f9d04b3e6
Opcode Fuzzy Hash: f7590618486acb90a0b4045038a1b9980daa56503a97e3c65fc2a379a13d9216
Instruction Fuzzy Hash: 531271B04087908ED711AF36D5492AEBBE0AF45305F45487FE8C4AB3D2D7BC8589CB5A

Function 00403877 Relevance: 7.6, APIs: 5, Instructions: 101networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 004038B8
recv.WS2_32 ref: 0040390A
htons.WS2_32 ref: 00403981
send.WS2_32 ref: 004039C2
recv.WS2_32 ref: 004039EB

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: recvsend$htons
String ID:
API String ID: 2448738288-0
Opcode ID: ff5436d585582389e34766bf336c56e4aeb74634b6732d0944e1465468626d1f
Instruction ID: 2f68b1b73ed64f245c1a6ebda433876d96cf46e9067814a4a33702efc6ea4ceb
Opcode Fuzzy Hash: ff5436d585582389e34766bf336c56e4aeb74634b6732d0944e1465468626d1f
Instruction Fuzzy Hash: 974125B18187589ADB10AF25C8453DEBFF4AF50315F00C8AEE58897281D37997C8CF96

Function 00408971 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116registryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 004087B6: CryptAcquireContextA.ADVAPI32 ref: 00408805
Part of subcall function 004087B6: CryptCreateHash.ADVAPI32 ref: 0040883C
Part of subcall function 004087B6: CryptHashData.ADVAPI32 ref: 00408868
Part of subcall function 004087B6: CryptGetHashParam.ADVAPI32 ref: 004088A3

RegQueryValueExA.ADVAPI32 ref: 004089F7
CryptUnprotectData.CRYPT32 ref: 00408A6B
LocalFree.KERNEL32 ref: 00408B25

Strings

BAA, xrefs: 00408B02

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Data$AcquireContextCreateFreeLocalParamQueryUnprotectValue
String ID: BAA
API String ID: 1605365258-1692831742
Opcode ID: 48ab4e01a5728df10220c763567179fde9bcf9614d20cdb5cf2f54ab0b6fcdaf
Instruction ID: ca52c820bf44693809b768f53c9273ce6cb39d51f7934d701046dfe5554239b4
Opcode Fuzzy Hash: 48ab4e01a5728df10220c763567179fde9bcf9614d20cdb5cf2f54ab0b6fcdaf
Instruction Fuzzy Hash: EC5173B4A042099FCB40DF69C98579EBBF0BB48304F00856AE898E7351D774EA848F96

Function 0040FC58 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040FC62
GetLocalTime.KERNEL32 ref: 0040FC81
GetWindowTextA.USER32 ref: 0040FCA1

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Part of subcall function 0040FA98: GetLocalTime.KERNEL32 ref: 0040FABA
Part of subcall function 0040FA98: CloseHandle.KERNEL32 ref: 0040FB1D
Part of subcall function 0040FA98: CreateFileA.KERNEL32 ref: 0040FBD0

Strings

iFA, xrefs: 0040FCBE

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: LocalTimeWindow$CloseCreateFileForegroundHandleText_vsnprintf
String ID: iFA
API String ID: 3580565685-532656184
Opcode ID: dc00317daa823cb9276fda14bab8d1ce1c9f3b77865aa93909205f1f568bd11f
Instruction ID: 38f6a2c2e79afc0ecd5df7ed28411f7503ab69d836c464945d8390dd89849ff4
Opcode Fuzzy Hash: dc00317daa823cb9276fda14bab8d1ce1c9f3b77865aa93909205f1f568bd11f
Instruction Fuzzy Hash: 9511D0B09047199AC760DF65D9812AFB7F0BB48745F1049BEA88993281E7788A84CF55

Function 004045AC Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004045CB

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

FindFirstFileA.KERNEL32 ref: 00404605
FindClose.KERNEL32(?,?), ref: 0040462F
FindNextFileA.KERNEL32(?,?), ref: 004047B9

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Find$File$CloseErrorFirstModeNext_vsnprintf
String ID:
API String ID: 3730131509-0
Opcode ID: 076ee79122b3436bb3b8bfaabb885c4b5ad79c44ed25760ef8b051012f3dd94f
Instruction ID: 2593e12487520a48a322449849de4ca25e75851314d5c1416644c12062ff8950
Opcode Fuzzy Hash: 076ee79122b3436bb3b8bfaabb885c4b5ad79c44ed25760ef8b051012f3dd94f
Instruction Fuzzy Hash: 3361E9F4808305AFD710EF25C98469EBBF4EF84354F04C96EE588AB391D3789A848F46

Function 004120BC Relevance: 6.1, APIs: 4, Instructions: 57processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00412108
Process32First.KERNEL32 ref: 0041212C
Process32Next.KERNEL32 ref: 00412164
CloseHandle.KERNEL32 ref: 0041216E

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b34769d8eb764ed80869c329f0dcd0ed218771a8a99234c4eb81c95ea124fb97
Instruction ID: dc86b6391665ec6c51e98d6a30bc66ecca3d47f1a0914be38fd54aad509e9d2c
Opcode Fuzzy Hash: b34769d8eb764ed80869c329f0dcd0ed218771a8a99234c4eb81c95ea124fb97
Instruction Fuzzy Hash: 9D110AB0904304AFD710EF65C9856EEBBF8EF84754F00886FF988D7201D7B899908B56

Function 0040B849 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040B85E
GetUserNameA.ADVAPI32 ref: 0040B874

Strings

KCA, xrefs: 0040B883

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: NameUsergetenv
String ID: KCA
API String ID: 3323410895-1493292787
Opcode ID: f09bc2163d5e417fda667a3801d56544f7504deba1a95c2535fbb1d0da4d81f5
Instruction ID: 93b68ccb07a19b0e332611bce7a53bba85470a5ab4b852b611ab372c68c4848c
Opcode Fuzzy Hash: f09bc2163d5e417fda667a3801d56544f7504deba1a95c2535fbb1d0da4d81f5
Instruction Fuzzy Hash: 63F0D6B1908314AFDB00AF55D5414DEBBF8EE44754F10C42FFC9897251D37495509B9A

Function 0040A07F Relevance: 3.2, APIs: 2, Instructions: 180encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0040A1CD
LocalFree.KERNEL32 ref: 0040A2A5

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 6b3e8b3b548a0994eeafafb947f04af19ae933bf52dd646e836e27da49c569cd
Instruction ID: 354592a7c4b75b1edebc5e8f641874d5ef5bd54dec488d7c52d0676a8032899d
Opcode Fuzzy Hash: 6b3e8b3b548a0994eeafafb947f04af19ae933bf52dd646e836e27da49c569cd
Instruction Fuzzy Hash: 9891A4B09043198FDB50DF65C58579EBBF4FF48304F1084AAE898A7340DB799A94CF96

Function 004065ED Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

SetCursorPos.USER32 ref: 00406602
mouse_event.USER32 ref: 00406695

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Cursormouse_event
String ID:
API String ID: 1102576784-0
Opcode ID: b56dbc3c8afd2e86c22553aa27f180bdb3824a90655ea9961313d8c7895b2879
Instruction ID: d4530d024c4aa0a579763f122d2ae13491926dfd7348beb7c7e67ec921a419ba
Opcode Fuzzy Hash: b56dbc3c8afd2e86c22553aa27f180bdb3824a90655ea9961313d8c7895b2879
Instruction Fuzzy Hash: EF0184B0008345AAE700AF15C11936FBBE5AB84708F41CD1EE8D95B281D7BEC599DF9B

Function 0040E6A3 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

, xrefs: 0040E862

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b8d42a7b63d4474c9d296802be1ff9ad28c4bd8d98a796cadb29ad3b8ed83466
Instruction ID: af0e4bd2f8db11168633d7947d060afc8ea8c21cc56c489c88e60dc4be1be253
Opcode Fuzzy Hash: b8d42a7b63d4474c9d296802be1ff9ad28c4bd8d98a796cadb29ad3b8ed83466
Instruction Fuzzy Hash: 2BE1A3316093919FD344CF2ED894467BBE2ABD9200F49C97EE5C487366C634E812DBA6

Function 0040EB76 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

, xrefs: 0040ED54

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2cb219ad1ba735ddc1010fc04fb07be04a48c2c717d2421ba4e92f8a78365db7
Instruction ID: dbe08ef90ca7c0ba67045d17c91d3382d316b0ef5ad8322767aaa1e22ac0fbde
Opcode Fuzzy Hash: 2cb219ad1ba735ddc1010fc04fb07be04a48c2c717d2421ba4e92f8a78365db7
Instruction Fuzzy Hash: 1AE1A1316093519FC344DF2ED8D046ABBE2EBC9200F89C93ED69487356CB34E915DBA6

Function 0040658F Relevance: 1.5, APIs: 1, Instructions: 12keyboardCOMMON

Download Yara Rule

APIs

keybd_event.USER32 ref: 004065B4

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: keybd_event
String ID:
API String ID: 2665452162-0
Opcode ID: ad786c9eec74cfddfaa1de87bd31ff0ac883e7b7428f562d910820cb54471c70
Instruction ID: 514b6a3e3d432557939aa7a66e17ac90f26ef639243acb5799a6f0622e44b1ea
Opcode Fuzzy Hash: ad786c9eec74cfddfaa1de87bd31ff0ac883e7b7428f562d910820cb54471c70
Instruction Fuzzy Hash: F7D0C9B44083446AD700BF39C51A31FBEE49B4034CF40C94DE8D44B286E2B9C1588BD2

Function 00411614 Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97078c1ec4012f78fb44af18f5c532879ac62cdecd602c122b775541fe005406
Instruction ID: b6bb0abaf440d756293c1a002dd11d6f450bc76aad7b664dcb83bd2216a62ab0
Opcode Fuzzy Hash: 97078c1ec4012f78fb44af18f5c532879ac62cdecd602c122b775541fe005406
Instruction Fuzzy Hash: E0227077F442104BDB5CCE5ACC906AAB393BBD831035FD27D8C06AB759DAB4B94686C0

Function 0040E190 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31593d8cefdcca00685f87743ed0cec816f2b2c0fbbdf3ba0f037685ca3658f4
Instruction ID: e6d911fdb611b8e20caa4b8839373222f843f50831378261c373f2f2ec46952d
Opcode Fuzzy Hash: 31593d8cefdcca00685f87743ed0cec816f2b2c0fbbdf3ba0f037685ca3658f4
Instruction Fuzzy Hash: 35A184729281B14BD74D8F2D9865437BBE0AB0920174B85FBD8C6AB393CA74DC41DBE4

Function 0040E4C4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbdbce695deb1e2b3e85a9bc98d2888b1b594ebbb5921316fa6f60b82e0e5ede
Instruction ID: 2701268bbd9fc2b5e320d490e8e555aea3c7527564387eb6455bb319325a37e2
Opcode Fuzzy Hash: cbdbce695deb1e2b3e85a9bc98d2888b1b594ebbb5921316fa6f60b82e0e5ede
Instruction Fuzzy Hash: 9C51A5758082649FD7049F1EE8A00B6BBE1E78D310B09C57EEA8417392D734F911DBE9

Function 00411D8F Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f0cb38eadaf4d6d83f4dade177b392778d08c3289c2bab45c74c43a88b0d488
Instruction ID: cb815717d701d92d0321e5c1705efccde2e51b9c811003f00643a04b9458148e
Opcode Fuzzy Hash: 5f0cb38eadaf4d6d83f4dade177b392778d08c3289c2bab45c74c43a88b0d488
Instruction Fuzzy Hash: 27411C651093C08FCB15CF6D84C059ABFE19FA6200B08C99EE8D99F74BD634D948C772

Function 00409681 Relevance: 53.0, APIs: 16, Strings: 14, Instructions: 460
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00409762
GetProcAddress.KERNEL32 ref: 0040978B
GetProcAddress.KERNEL32 ref: 004097A4
GetProcAddress.KERNEL32 ref: 004097BD
GetProcAddress.KERNEL32 ref: 004097D6
GetProcAddress.KERNEL32 ref: 004097EF
GetProcAddress.KERNEL32 ref: 00409808
FreeLibrary.KERNEL32 ref: 00409E1C

Strings

J, xrefs: 004096B8
T, xrefs: 004096D0
B, xrefs: 0040968C
`, xrefs: 004096F4
<, xrefs: 004096D8
U, xrefs: 00409708
A, xrefs: 004096A8
p, xrefs: 004096BC
(, xrefs: 004096C8
K, xrefs: 004096E8
;, xrefs: 00409704
7BA, xrefs: 00409D6E
M, xrefs: 004096C0
K, xrefs: 00409698

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: ($7BA$;$<$A$B$J$K$K$M$T$U$`$p
API String ID: 2449869053-391259618
Opcode ID: 0102906048278b01bfaadb7cca6d2feb094f081cc665968ec8cf0634dcfafca6
Instruction ID: 5cdc09787fa2d98662f5f6e6c34f3ce4d23c8e7ea1ffc8e747b05e0de4b5849e
Opcode Fuzzy Hash: 0102906048278b01bfaadb7cca6d2feb094f081cc665968ec8cf0634dcfafca6
Instruction Fuzzy Hash: 633296B0908349CFDB10DFA9C58479EBBF0BF45314F108A5DE498AB291D3789949CF96

Function 00405DD8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 199
pipeprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getenv.MSVCRT ref: 00405DF4

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

getenv.MSVCRT ref: 00405E28
CreatePipe.KERNEL32 ref: 00405ED4
CreatePipe.KERNEL32 ref: 00405F07
GetStartupInfoA.KERNEL32 ref: 00405F1A
CreateProcessA.KERNEL32 ref: 00405F9A
CloseHandle.KERNEL32 ref: 00405FD6
CloseHandle.KERNEL32(?), ref: 00405FEB

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

PeekNamedPipe.KERNEL32 ref: 00406052
malloc.MSVCRT ref: 0040608A
ReadFile.KERNEL32 ref: 004060C4
CloseHandle.KERNEL32 ref: 00406119
CloseHandle.KERNEL32(00000000), ref: 00406127
TerminateProcess.KERNEL32(?,00000000), ref: 0040613E

Strings

D, xrefs: 00405E5F
", xrefs: 00406155

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$CriticalFileProcessSectiongetenv$AttributesEnterInfoLeaveNamedPeekReadStartupTerminate_vsnprintfmalloc
String ID: "$D
API String ID: 1761898876-1154559923
Opcode ID: fbb02ef1c314bbc3df60b360c3dda634f94df7fada419d372bd55523850ea963
Instruction ID: ab78ed7e7bd911190741dcd00d2c2ce8cf39d2132aa506c12495ccbc8fdc81d2
Opcode Fuzzy Hash: fbb02ef1c314bbc3df60b360c3dda634f94df7fada419d372bd55523850ea963
Instruction Fuzzy Hash: 5AA10EB48097159FDB10EF25C58879EBBF4BF84308F0088AEE488A7351D7B89984CF46

Function 00410CCC Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 232
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410D0F
RegEnumValueA.ADVAPI32 ref: 00410D74
RegQueryValueExA.ADVAPI32 ref: 00410DF4
RegQueryValueExA.ADVAPI32 ref: 00410E99

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

RegQueryValueExA.ADVAPI32 ref: 00410FBE
malloc.MSVCRT ref: 00410FD7
RegQueryValueExA.ADVAPI32 ref: 0041100B
RegCloseKey.ADVAPI32 ref: 004110EB

Strings

xHA, xrefs: 00411023
BHA, xrefs: 0041106A
_HA, xrefs: 00410F43

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseEnumOpen_vsnprintfmalloc
String ID: BHA$_HA$xHA
API String ID: 4070552197-3285710930
Opcode ID: ac5d138f93a558dbc5e116cd23dbb3c29edebc9a2d5825cb4dd6319581db7c8d
Instruction ID: 989e93437ed1fc3a8c40e072f8fd8bc0d184f3097b92b14acd78646b57eb1c1e
Opcode Fuzzy Hash: ac5d138f93a558dbc5e116cd23dbb3c29edebc9a2d5825cb4dd6319581db7c8d
Instruction Fuzzy Hash: A3B197B49083559FDB10DF29D58879AFBF0BF48344F10899EE48897251D3B89AC8CF96

Function 00405A58 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184
timeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00405A73
Process32First.KERNEL32 ref: 00405A98
CloseHandle.KERNEL32 ref: 00405AA6

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

OpenProcess.KERNEL32 ref: 00405B43
GetProcessTimes.KERNEL32 ref: 00405BBF
FileTimeToSystemTime.KERNEL32 ref: 00405BF0
CloseHandle.KERNEL32 ref: 00405C83
Process32Next.KERNEL32 ref: 00405CF6
CloseHandle.KERNEL32 ref: 00405D0E

Strings

), xrefs: 00405D4D
`;A, xrefs: 00405C67
~;A, xrefs: 00405CA9

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseHandle$ProcessProcess32Time$CreateFileFirstNextOpenSnapshotSystemTimesToolhelp32_vsnprintf
String ID: )$`;A$~;A
API String ID: 1698657367-2041144709
Opcode ID: 36dd3521c2ac3d965cffdad25bdc6b6ff33896376b5b83b920d8e41b854f2f6b
Instruction ID: 831750719b15e0876fd54e10c955a5243bc5bc00d0fe484e563cac8dfc63c47b
Opcode Fuzzy Hash: 36dd3521c2ac3d965cffdad25bdc6b6ff33896376b5b83b920d8e41b854f2f6b
Instruction Fuzzy Hash: BB81FAB48087159ED720EF25C9447AFBBF4EF44345F00896EE888A7281E7789A84DF56

Function 0040578A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 171
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 004057EB

Part of subcall function 004033A1: gethostbyname.WS2_32(?), ref: 004033B2
Part of subcall function 004033A1: htons.WS2_32 ref: 004033EC

connect.WS2_32 ref: 00405834
send.WS2_32 ref: 00405896
recv.WS2_32 ref: 004058D7

Strings

):A, xrefs: 00405855
1;A, xrefs: 004059FB

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: connectgethostbynamehtonsrecvsendsocket
String ID: ):A$1;A
API String ID: 2370112503-816570355
Opcode ID: 30f792e7e5844c66469dbdca816c237e38cee11f407f4a80b514b23e9ea034fc
Instruction ID: 71e4d62505e26983df68ec771c9a0a1423731bef936d2721f1dc97ea6062637c
Opcode Fuzzy Hash: 30f792e7e5844c66469dbdca816c237e38cee11f407f4a80b514b23e9ea034fc
Instruction Fuzzy Hash: 4E71E8B49087049FD710EF69C58539EBBE0EF44358F00C96EE888DB381D7B999949F4A

Function 0041217C Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 262
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411EE0: malloc.MSVCRT ref: 00411EF0

Part of subcall function 00405455: LoadLibraryA.KERNEL32 ref: 00405461

Part of subcall function 00405469: GetProcAddress.KERNEL32 ref: 0040547C

malloc.MSVCRT ref: 00412289
htons.WS2_32 ref: 0041230D
inet_ntoa.WS2_32(?), ref: 0041231F
htons.WS2_32 ref: 00412363
inet_ntoa.WS2_32 ref: 00412375
malloc.MSVCRT ref: 0041248D
htons.WS2_32 ref: 0041251B
inet_ntoa.WS2_32 ref: 00412531

Part of subcall function 004120BC: CreateToolhelp32Snapshot.KERNEL32 ref: 00412108
Part of subcall function 004120BC: Process32First.KERNEL32 ref: 0041212C
Part of subcall function 004120BC: CloseHandle.KERNEL32 ref: 0041216E

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Strings

}IA, xrefs: 0041254C
N, xrefs: 0041261B
=IA, xrefs: 0041220A

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: htonsinet_ntoamalloc$AddressCloseCreateFirstHandleLibraryLoadProcProcess32SnapshotToolhelp32_vsnprintf
String ID: =IA$N$}IA
API String ID: 3806733647-3309204232
Opcode ID: 7b9541f545c9f2a34757e8f7c29394d1a1f9830dc890e4d2419c71ec7690ea62
Instruction ID: 20a1844e7a5c459d330a443d6b8fa9c6bd77651207b4c8d8b34c766d9274e1b4
Opcode Fuzzy Hash: 7b9541f545c9f2a34757e8f7c29394d1a1f9830dc890e4d2419c71ec7690ea62
Instruction Fuzzy Hash: EBD1D5B09083159FCB11EF65C58479EBBF8BF84708F01899EE58897251D7B89AC4CF46

Function 0040C941 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 0040C9D4
fread.MSVCRT ref: 0040C9F6
fwrite.MSVCRT ref: 0040CB6B
fclose.MSVCRT ref: 0040CB7F
SetFileAttributesA.KERNEL32 ref: 0040CBA3

Strings

4A, xrefs: 0040CAB1
D, xrefs: 0040CB2C
D, xrefs: 0040CB58
lEA, xrefs: 0040C993
4A, xrefs: 0040CA1E

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AttributesFilefclosefopenfreadfwrite
String ID: 4A$ 4A$D$D$lEA
API String ID: 89957345-2790498474
Opcode ID: f152b6aa1b7416d8f0f0ebd9bf0003a6d043924cad8ac1b086a1b89980a8b980
Instruction ID: 8ee7dcb1a855fa224ab7dec011a0fbf22432a1ee2610218971ebbed7d3f7c393
Opcode Fuzzy Hash: f152b6aa1b7416d8f0f0ebd9bf0003a6d043924cad8ac1b086a1b89980a8b980
Instruction Fuzzy Hash: F751D3F0408714EBD710EF11C58539EBBE4AF84348F41C96EE5886B281D7BD9989DF4A

Function 0040CE57 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

SetFileAttributesA.KERNEL32 ref: 0040CEC4
fopen.MSVCRT ref: 0040CED6
fwrite.MSVCRT ref: 0040CF84
fclose.MSVCRT ref: 0040CF94
SetFileAttributesA.KERNEL32 ref: 0040CFB6

Strings

D, xrefs: 0040CF4B
lEA, xrefs: 0040CE8D
DA, xrefs: 0040CECB
xEA, xrefs: 0040CE95
D, xrefs: 0040CF74

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AttributesFile$_vsnprintffclosefopenfwrite
String ID: D$D$lEA$xEA$DA
API String ID: 1105125946-1048815438
Opcode ID: 9e7d724425f60edd07a3b15a2b20a5c6f0d5eef6687e60083d1717f7f5f0570b
Instruction ID: a99362d3ca4ca861082491842b0435d7b2127b1ddbd31fb88d185ee01cbaad60
Opcode Fuzzy Hash: 9e7d724425f60edd07a3b15a2b20a5c6f0d5eef6687e60083d1717f7f5f0570b
Instruction Fuzzy Hash: BD31FAF1408304ABC710AF25C58429EFBE4AF84358F01C86EE5D8A7381D7B89989CF5A

Function 004111FE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 151registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 00411267
RegOpenKeyExA.ADVAPI32 ref: 004112AD
RegSetValueExA.ADVAPI32 ref: 004112EA
RegCloseKey.ADVAPI32 ref: 004112FD
RegOpenKeyExA.ADVAPI32 ref: 004113BE
RegDeleteValueA.ADVAPI32 ref: 004113DE
RegCloseKey.ADVAPI32 ref: 004113F0

Strings

Q, xrefs: 004115F6
?, xrefs: 00411240

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseOpenValue$CreateDelete
String ID: ?$Q
API String ID: 774071636-1039334267
Opcode ID: 0d1914a16431f499e83252cdacc41e37facfb873727850b0a8faac512d4cb015
Instruction ID: c439cc1598956ffcb5f5d1af2c0e5dcdd498ed23d8f7eeac35ff14a014eb7dd8
Opcode Fuzzy Hash: 0d1914a16431f499e83252cdacc41e37facfb873727850b0a8faac512d4cb015
Instruction Fuzzy Hash: 4061E5B49093059FC700EF69D58469EFBF4AF98754F00891EF89897311D3B9C9888F96

Function 00410182 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 85windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405455: LoadLibraryA.KERNEL32 ref: 00405461

Part of subcall function 00405469: GetProcAddress.KERNEL32 ref: 0040547C

RegisterClassExA.USER32 ref: 0041022F
CreateWindowExA.USER32 ref: 00410295
GetMessageA.USER32 ref: 004102CD
TranslateMessage.USER32 ref: 004102DC
DispatchMessageA.USER32(00000000), ref: 004102E5

Strings

0, xrefs: 00410217
wcnwClass, xrefs: 0041018C
0, xrefs: 004101FC
pGA, xrefs: 004101AC

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Message$AddressClassCreateDispatchLibraryLoadProcRegisterTranslateWindow
String ID: 0$0$pGA$wcnwClass
API String ID: 3243276898-1772338863
Opcode ID: 61e49c2ad0511c5c941a7e6583859faedc0309ac2642f0c420f6551139e44464
Instruction ID: 068bc183204c7eb98bb354b3682a6ee4adec67ee41bf8ba6f0d787dc2c733290
Opcode Fuzzy Hash: 61e49c2ad0511c5c941a7e6583859faedc0309ac2642f0c420f6551139e44464
Instruction Fuzzy Hash: D3310CB0409301DAD700AF65DA5839FBBF4FB84348F00892EE4946B281D7BD85C9CF9A

Function 0040DB64 Relevance: 15.2, APIs: 10, Instructions: 169networkCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040DB77
select.WS2_32 ref: 0040DC14
__WSAFDIsSet.WS2_32 ref: 0040DC55
__WSAFDIsSet.WS2_32 ref: 0040DC6A
__WSAFDIsSet.WS2_32 ref: 0040DC7F
__WSAFDIsSet.WS2_32 ref: 0040DC94
recv.WS2_32 ref: 0040DCC8
send.WS2_32 ref: 0040DD06
recv.WS2_32 ref: 0040DD6A
send.WS2_32 ref: 0040DD9C

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: recvsend$mallocselect
String ID:
API String ID: 2752384660-0
Opcode ID: 5fb4c28d16103b5818a03313459db5f4bff912668f9c2c18364a4389608e24b1
Instruction ID: 18315e3feb48a88bf0c145b53d238d843914a4fc181e2f21cb6c293dc3b95497
Opcode Fuzzy Hash: 5fb4c28d16103b5818a03313459db5f4bff912668f9c2c18364a4389608e24b1
Instruction Fuzzy Hash: 1861FEB09043149ADB10EFA5D5897AEBBF4EF44354F10886FE898D7281E7789A848F46

Function 0041053C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 144libraryloadertimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00411EE0: malloc.MSVCRT ref: 00411EF0

LoadLibraryA.KERNEL32 ref: 00410591
GetProcAddress.KERNEL32 ref: 004105AC
GetProcAddress.KERNEL32 ref: 004105C0
GetProcAddress.KERNEL32 ref: 004105D8
FileTimeToSystemTime.KERNEL32 ref: 00410674

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

HA, xrefs: 004106E8
GA, xrefs: 004105C7
', xrefs: 0041076B

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalSectionTime$EnterFileLeaveLibraryLoadSystemmalloc
String ID: HA$'$GA
API String ID: 2869995242-598030498
Opcode ID: 1f702612a7857ecf08445ef31928c6acf8a58152fd26bc50b3c97423ab7d203f
Instruction ID: ae8baa5ecde7fb6ed3adbf78323fa767576e95d4853eb8a3befa3c6e51516c88
Opcode Fuzzy Hash: 1f702612a7857ecf08445ef31928c6acf8a58152fd26bc50b3c97423ab7d203f
Instruction Fuzzy Hash: B65108B48057149FC720DF16C9886AAFBF4EF88304F10C99EE88897350E3789985CF56

Function 00411459 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0041147A
RegQueryValueExA.ADVAPI32 ref: 004114C0
malloc.MSVCRT ref: 004114D9
RegQueryValueExA.ADVAPI32 ref: 0041151C
RegSetValueExA.ADVAPI32 ref: 00411562
RegDeleteValueA.ADVAPI32 ref: 0041157E
RegCloseKey.ADVAPI32 ref: 004115A1

Strings

Q, xrefs: 004115F6

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Value$Query$CloseDeleteOpenmalloc
String ID: Q
API String ID: 262012908-3463352047
Opcode ID: b405ad368a74b2ba0b737f4586612eeebdab027994ea21b8dde39ad54d5f576c
Instruction ID: 3ca93476defa6ef8bcc387df257a5238b1fbcca918f4bd75f6b8d369d1983045
Opcode Fuzzy Hash: b405ad368a74b2ba0b737f4586612eeebdab027994ea21b8dde39ad54d5f576c
Instruction Fuzzy Hash: BD51C8B49053199FCB50EF69D58479EBBF4AF88314F00896EE888D7311E378DA948F52

Function 00407B77 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00407B91

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

getenv.MSVCRT ref: 00407BD0

Part of subcall function 00404BE8: GetFileAttributesExA.KERNEL32 ref: 00404C03

fopen.MSVCRT ref: 00407C04
malloc.MSVCRT ref: 00407C5A
fread.MSVCRT ref: 00407C9E
fclose.MSVCRT ref: 00407CF9
fclose.MSVCRT ref: 00407D1A

Strings

4?A, xrefs: 00407CCC

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AttributesFilefclosegetenv$_vsnprintffopenfreadmalloc
String ID: 4?A
API String ID: 3920827873-2233913188
Opcode ID: 1dca996ad7b087eadbf85a3b399a9cc6a68cd897726542f96d4f23dd8c0bffa1
Instruction ID: 3966e464501311549d35d80b116e3f915d36021e1a2b2f7f5795f4143f236d35
Opcode Fuzzy Hash: 1dca996ad7b087eadbf85a3b399a9cc6a68cd897726542f96d4f23dd8c0bffa1
Instruction Fuzzy Hash: 334194B450C3858BC720EF25C18979EB7E0BF94304F518D2EE49897351D778A589CB97

Function 0040BE4D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0040B849: getenv.MSVCRT ref: 0040B85E
Part of subcall function 0040B849: GetUserNameA.ADVAPI32 ref: 0040B874

Part of subcall function 0040B7E0: gethostname.WS2_32 ref: 0040B80C
Part of subcall function 0040B7E0: GetComputerNameA.KERNEL32 ref: 0040B823

Part of subcall function 0040BC47: GetTickCount.KERNEL32 ref: 0040BC7A

Part of subcall function 004051A9: GetModuleFileNameA.KERNEL32 ref: 004051C6

getenv.MSVCRT ref: 0040BF72
getenv.MSVCRT ref: 0040BF80

Part of subcall function 00403F73: EnterCriticalSection.KERNEL32 ref: 00403FA3
Part of subcall function 00403F73: LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

H4A, xrefs: 0040BFF3
l4A, xrefs: 0040BFFB
%, xrefs: 0040C0C8
l5A, xrefs: 0040C019
KCA, xrefs: 0040BEE5

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Namegetenv$CriticalSection$ComputerCountEnterFileLeaveModuleTickUsergethostname
String ID: %$H4A$KCA$l4A$l5A
API String ID: 3776303047-1407204963
Opcode ID: 28bec2c9a909412c80fc4afe47b31c81f4d736968078f8f8d868cdd665d4890a
Instruction ID: d85f1876405dfec4d647fd46b7b60a1a979ce71c79954cbce53fc50b7907c98a
Opcode Fuzzy Hash: 28bec2c9a909412c80fc4afe47b31c81f4d736968078f8f8d868cdd665d4890a
Instruction Fuzzy Hash: 2D619FB4809780DFD320EF65C18469EFBE0AF89348F108D2EE9D897351D77995488F9A

Function 0040FA98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103filetimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0040FABA
CloseHandle.KERNEL32 ref: 0040FB1D
CloseHandle.KERNEL32 ref: 0040FB40
CreateFileA.KERNEL32 ref: 0040FBD0
SetFilePointer.KERNEL32 ref: 0040FC09
WriteFile.KERNEL32 ref: 0040FC40

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Strings

XFA, xrefs: 0040FAE3

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerTimeWrite_vsnprintf
String ID: XFA
API String ID: 3264027427-974536607
Opcode ID: a40413c76cd8f53656618cd0bb0ef3d86255663df44c752a595bfe4aee92ffe6
Instruction ID: 91731cd170c5d998bbcfc750042ee8dc55e74d060ef57c9b543632cca1338494
Opcode Fuzzy Hash: a40413c76cd8f53656618cd0bb0ef3d86255663df44c752a595bfe4aee92ffe6
Instruction Fuzzy Hash: 89410DF04083058AD720AF65D5453AABBF0FB40369F10CA3EE4A4973D1D7BC95889F9A

Function 00410A45 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32 ref: 00410AA2
RegOpenKeyExA.ADVAPI32 ref: 00410AD7

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

RegEnumKeyExA.ADVAPI32 ref: 00410B37
RegCloseKey.ADVAPI32 ref: 00410B4C
RegDeleteKeyA.ADVAPI32(00000000), ref: 00410B5C

Strings

8HA, xrefs: 00410A6A
@, xrefs: 00410B81

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Delete$CloseEnumOpen_vsnprintf
String ID: 8HA$@
API String ID: 3258335120-4290720585
Opcode ID: c5296b4e9af734e42d8dbebc49b89b832d88072c421cde381e7b794f12b01c9b
Instruction ID: e26009748f05c12376dafa838653ca88d826763a5889efdba6fa65f1d4502876
Opcode Fuzzy Hash: c5296b4e9af734e42d8dbebc49b89b832d88072c421cde381e7b794f12b01c9b
Instruction Fuzzy Hash: E641C8B49083059BDB10EF69C58879FBBE4BF84344F00885EE8989B241D3B995888F96

Function 0040C27A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 0040C2D4

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

fopen.MSVCRT ref: 0040C349
fwrite.MSVCRT ref: 0040C367
fclose.MSVCRT ref: 0040C36F
getenv.MSVCRT ref: 0040C37B

Strings

l6A, xrefs: 0040C307
DA, xrefs: 0040C33E

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintffclosefopenfwrite
String ID: l6A$DA
API String ID: 3159630692-3596656015
Opcode ID: 122f7d1ac48ac6bb0f43b323a60622b7e1d5dec9b676e12db3d618f369a0e9d3
Instruction ID: 8d8fa0fa9e342449d6642be7a3f3b57dbab194fb3984e5e901ee57e0f6d2ef16
Opcode Fuzzy Hash: 122f7d1ac48ac6bb0f43b323a60622b7e1d5dec9b676e12db3d618f369a0e9d3
Instruction Fuzzy Hash: 5C31B1F44087409BD310AF66C58529EBBE0AF84348F01CD2EE4C89B241E7BC96888F5B

Function 0040DE41 Relevance: 12.2, APIs: 8, Instructions: 151networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 0040DEB2
__WSAFDIsSet.WS2_32 ref: 0040DECB
recv.WS2_32 ref: 0040DEF9
recv.WS2_32 ref: 0040DF35
recv.WS2_32 ref: 0040DFBB
htons.WS2_32 ref: 0040E017
socket.WS2_32 ref: 0040E061
connect.WS2_32 ref: 0040E09D

Part of subcall function 0040DE0A: send.WS2_32 ref: 0040DE33

Part of subcall function 00403B94: shutdown.WS2_32 ref: 00403BB3
Part of subcall function 00403B94: closesocket.WS2_32 ref: 00403BBF

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: recv$closesocketconnecthtonsselectsendshutdownsocket
String ID:
API String ID: 1430705073-0
Opcode ID: fc92c8c5a0dbe27017bf89f444769f8f89c10a8134cd6a4765926d74bf260c17
Instruction ID: 01c18aa514289597c269caeadaa752c3b40ab312fda17ef6e48aabd214f6af05
Opcode Fuzzy Hash: fc92c8c5a0dbe27017bf89f444769f8f89c10a8134cd6a4765926d74bf260c17
Instruction Fuzzy Hash: 7B611EB08097149FDB10EF25C58939EBBF4EF44348F0089AEE48897291D7B98989CF46

Function 00405524 Relevance: 12.1, APIs: 8, Instructions: 79fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040554D

Part of subcall function 0040549D: fgetpos.MSVCRT ref: 004054C3

fgetpos.MSVCRT ref: 00405592
fsetpos.MSVCRT ref: 004055CD
malloc.MSVCRT ref: 004055D9
fread.MSVCRT ref: 004055F9
realloc.MSVCRT ref: 0040560F
fclose.MSVCRT ref: 0040561B
fclose.MSVCRT ref: 0040562C

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: fclosefgetpos$fopenfreadfsetposmallocrealloc
String ID:
API String ID: 3217104080-0
Opcode ID: 620a412af4db0eede7548b3dcc00da877d41a799f83f43c82130cfbec20a1575
Instruction ID: a0d5e706f921886c5c23fd30e6422af03956917385b2da39634412cda78928d3
Opcode Fuzzy Hash: 620a412af4db0eede7548b3dcc00da877d41a799f83f43c82130cfbec20a1575
Instruction Fuzzy Hash: 1A31C8B0509B019AD710EF26D68535FBBE4EF84748F404C2EE48897291D779D9848F57

Function 00404A9D Relevance: 12.1, APIs: 8, Instructions: 76fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00404AB3
fopen.MSVCRT ref: 00404AD1
malloc.MSVCRT ref: 00404AF1
fread.MSVCRT ref: 00404B13
fwrite.MSVCRT ref: 00404B41
free.MSVCRT(?,?,?,?,?,?,?,?,00000007,?,0040CC64), ref: 00404B53
fclose.MSVCRT ref: 00404B64
fclose.MSVCRT ref: 00404B70

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: fclosefopen$freadfreefwritemalloc
String ID:
API String ID: 3268861121-0
Opcode ID: db9cd1ddba3533799f908722b1bbab13f80b73d4618c007276d285a121451fef
Instruction ID: 9b27cd0a215e18dd769d40057a9f1d93868c1d8f5da361802dfeb248399d38f8
Opcode Fuzzy Hash: db9cd1ddba3533799f908722b1bbab13f80b73d4618c007276d285a121451fef
Instruction Fuzzy Hash: 20211BB05087008FC740AF76869176FBBE4AFC4354F10882EE6D8C7381E67DE8858B4A

Function 00408F96 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 301fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00408FBB

Strings

, xrefs: 0040901C
/, xrefs: 00409376

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: fopen
String ID: $/
API String ID: 1432627528-2637513485
Opcode ID: 4966ecf185f7c6fd39c6a4eddc59e0371599998d27bcbf0896b958455f4065aa
Instruction ID: f0bb36988fa114ee1f39d1f6ddcb01fe17482cd2e2041a93a4f1d472369bf8b9
Opcode Fuzzy Hash: 4966ecf185f7c6fd39c6a4eddc59e0371599998d27bcbf0896b958455f4065aa
Instruction Fuzzy Hash: D4E1E5B48083199FCB00EFA5D58469EBBF0FF44314F50886EE499A7381D7789A85CF4A

Function 0040D3B3 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040D3EA
fgetpos.MSVCRT ref: 0040D427
fopen.MSVCRT ref: 0040D68B
fopen.MSVCRT ref: 0040D45D

Part of subcall function 0040549D: fgetpos.MSVCRT ref: 004054C3

fread.MSVCRT ref: 0040D7C8

Strings

"FA, xrefs: 0040D680

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: fopen$fgetpos$fread
String ID: "FA
API String ID: 1519157137-1668338201
Opcode ID: 1a8d85e7f2cfe4a533ac457cdb7edb3b32a9cc4bb35e199ab6d3934fab32b426
Instruction ID: 9bca862d18c0339220621ce64de444c11e541942f0f53a18aadf7c85be5c6885
Opcode Fuzzy Hash: 1a8d85e7f2cfe4a533ac457cdb7edb3b32a9cc4bb35e199ab6d3934fab32b426
Instruction Fuzzy Hash: DED1D8B49087419FC310EF65C1887AABBE0BF88344F15897EE5D89B392D7789885CF46

Function 00403F73 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00403FA3
malloc.MSVCRT ref: 00403FED
send.WS2_32 ref: 0040408C
WSAGetLastError.WS2_32 ref: 0040409B
LeaveCriticalSection.KERNEL32 ref: 004040C3

Strings

-, xrefs: 00403FAC

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterErrorLastLeavemallocsend
String ID: -
API String ID: 1786834168-2547889144
Opcode ID: 24377aebffa3b5281d1127045a8a1b48695aed9f0c74208b6dc564aaba80508c
Instruction ID: a80a3717f3a453fd2ad5ae32bbc753337fa0d7ebaf2369df8f81d5272f7a8c28
Opcode Fuzzy Hash: 24377aebffa3b5281d1127045a8a1b48695aed9f0c74208b6dc564aaba80508c
Instruction Fuzzy Hash: 1041B3B09043058FCB10AF79C58019ABBE4FF81314F11867FE6A4A72C1C7BC88448B9A

Function 004036A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 0040370C
send.WS2_32 ref: 004037B1
select.WS2_32 ref: 00403817
__WSAFDIsSet.WS2_32 ref: 0040382E
recv.WS2_32 ref: 00403854

Strings

Z, xrefs: 00403865

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: htonsrecvselectsend
String ID: Z
API String ID: 3248711867-1505515367
Opcode ID: e2fe29d13216e738a7d9de5c78a8d0e8961cc66796e1d6fd5d29dd145357a28f
Instruction ID: 639f4686af90df012d81833e409e9ce70a181e0f674a263e2d816058d9577b47
Opcode Fuzzy Hash: e2fe29d13216e738a7d9de5c78a8d0e8961cc66796e1d6fd5d29dd145357a28f
Instruction Fuzzy Hash: 704142B08083189BD711EF25C98439EBFF4EF54754F1089AEE498A7281D7798A848F96

Function 00407D2B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88fileCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00407D40

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

fopen.MSVCRT ref: 00407D74
fgets.MSVCRT ref: 00407EC5
fclose.MSVCRT ref: 00407EDC

Strings

9?A, xrefs: 00407D49
t?A, xrefs: 00407E50

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: _vsnprintffclosefgetsfopengetenv
String ID: 9?A$t?A
API String ID: 3106633423-361060513
Opcode ID: 780190c4c68a50bb2849932357d605d5961c48d1bb5beacd531f29cb5f208621
Instruction ID: d56ad9afa16f09ea7403fc7f8586aa3536332f1b7c5a8df2208c776a3bfb1608
Opcode Fuzzy Hash: 780190c4c68a50bb2849932357d605d5961c48d1bb5beacd531f29cb5f208621
Instruction Fuzzy Hash: 744174B44093449BD710EF65C14879EBBE4AF88318F508E6FE4D897291E3789685CF4B

Function 00410BBE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00410BF1
RegEnumKeyExA.ADVAPI32 ref: 00410C50
RegCloseKey.ADVAPI32 ref: 00410CBA

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Strings

@, xrefs: 00410C6F
@, xrefs: 00410CA2
>HA, xrefs: 00410C67

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen_vsnprintf
String ID: >HA$@$@
API String ID: 2247870055-995552534
Opcode ID: aaf79daa1072650b113f8b28d349df9d1ef36b6af601e0d60dc24ba25ea1c482
Instruction ID: 0efa45cfe51a755981f14642be1fa79b8e9458597368fc141579fb9ad7984f90
Opcode Fuzzy Hash: aaf79daa1072650b113f8b28d349df9d1ef36b6af601e0d60dc24ba25ea1c482
Instruction Fuzzy Hash: 572117B49043159FDB10DF6AC58578EBBF4FF84354F00895EE88897341E3B899888F96

Function 00403BD0 Relevance: 9.2, APIs: 6, Instructions: 169networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00403C4C
connect.WS2_32 ref: 00403C66

Part of subcall function 00403B94: shutdown.WS2_32 ref: 00403BB3
Part of subcall function 00403B94: closesocket.WS2_32 ref: 00403BBF

Part of subcall function 004033A1: gethostbyname.WS2_32(?), ref: 004033B2
Part of subcall function 004033A1: htons.WS2_32 ref: 004033EC

socket.WS2_32 ref: 00403D89
connect.WS2_32 ref: 00403DA3
socket.WS2_32 ref: 00403E29
connect.WS2_32 ref: 00403E48

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: connectsocket$closesocketgethostbynamehtonsshutdown
String ID:
API String ID: 4225652895-0
Opcode ID: e1fd7005636b4528ff74c502e5c20b6fc0877db0d376a9960d3f91a021e99125
Instruction ID: f45608c9a9de19c42162c372290f679f17a1801011b9796fd91ebc5e26a1b952
Opcode Fuzzy Hash: e1fd7005636b4528ff74c502e5c20b6fc0877db0d376a9960d3f91a021e99125
Instruction Fuzzy Hash: D07138B09047019FDB00EF2AD58069ABFF8AF48719F00C97EE888A7391D7389545CF4A

Function 00406A02 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

i<A, xrefs: 00406CB2

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID: i<A
API String ID: 0-3396280644
Opcode ID: 1540d20901c712bcf7481c4b852b8111f1dc69a69761e444df4b5c5b44ba47b8
Instruction ID: 26933de734823d81723c3ef3ef006f536492122f3a2a695693b393f7b42d023a
Opcode Fuzzy Hash: 1540d20901c712bcf7481c4b852b8111f1dc69a69761e444df4b5c5b44ba47b8
Instruction Fuzzy Hash: 2791B8F49043199ECB10EF65C5886DDBBF4BF84308F0188AED498A7341E7799698CF5A

Function 0040CBB4 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004051A9: GetModuleFileNameA.KERNEL32 ref: 004051C6

ExitProcess.KERNEL32 ref: 0040CD0B
fopen.MSVCRT ref: 0040CDDF

Part of subcall function 004049EC: GetFileAttributesA.KERNEL32 ref: 004049F9
Part of subcall function 004049EC: SetFileAttributesA.KERNEL32 ref: 00404A13
Part of subcall function 004049EC: DeleteFileA.KERNEL32 ref: 00404A1D

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

Part of subcall function 004053D0: Sleep.KERNEL32 ref: 004053DC

Strings

|3A, xrefs: 0040CD2C
T3A, xrefs: 0040CD64
}EA, xrefs: 0040CDD4

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: File$Attributes$DeleteExitModuleNameProcessSleepfopen
String ID: T3A$|3A$}EA
API String ID: 1458395772-2817059344
Opcode ID: 718e782435daecc7b4a03f43b9078f6382099c987aa982178e431d811c2576fa
Instruction ID: 51effcca1c704c504e302ac1a58f79a9d859821a49503cd4af434985cd58f9ce
Opcode Fuzzy Hash: 718e782435daecc7b4a03f43b9078f6382099c987aa982178e431d811c2576fa
Instruction Fuzzy Hash: 5E51CAF0408304DADB10BF52C5853AEBBE1AF85748F01C96EE5D82B382C7BD8585CB5A

Function 0040350F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004033A1: gethostbyname.WS2_32(?), ref: 004033B2
Part of subcall function 004033A1: htons.WS2_32 ref: 004033EC

send.WS2_32 ref: 004035CF
select.WS2_32 ref: 00403636
__WSAFDIsSet.WS2_32 ref: 0040364D
recv.WS2_32 ref: 00403673

Strings

Z, xrefs: 00403691

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: gethostbynamehtonsrecvselectsend
String ID: Z
API String ID: 3406712544-1505515367
Opcode ID: 6e6e436aaa553e773ace2c488cef308333e37fe85ede4f4e8089efc67dcee756
Instruction ID: d8c65e0f9aad23d1af9af4d348d8c80e5621668995a4c6faa5eb2facd0193626
Opcode Fuzzy Hash: 6e6e436aaa553e773ace2c488cef308333e37fe85ede4f4e8089efc67dcee756
Instruction Fuzzy Hash: 41411CB1808354AEDB10EF25C9857DEBFF4EF44748F0088AEE48897241D7798688CF96

Function 0040536B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0040537E
fread.MSVCRT ref: 004053A4
fclose.MSVCRT ref: 004053B1
fclose.MSVCRT ref: 004053B8

Strings

MZ, xrefs: 004053BD

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: fclose$fopenfread
String ID: MZ
API String ID: 3873288765-2410715997
Opcode ID: 9605b6368c7e52d2d36c2c8b4eab568b67af4b93ea4d172e13cb709ab50c471a
Instruction ID: 9393c3985b465bb99bfc5020030233f5d28b48a66406ef6bb25f7d1826fd756a
Opcode Fuzzy Hash: 9605b6368c7e52d2d36c2c8b4eab568b67af4b93ea4d172e13cb709ab50c471a
Instruction Fuzzy Hash: A8F03AB041D700DAC700AF72869525EBBE4AB40344F009C2EE884D6241E2BCE5D58F4B

Function 0040A3A0 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0040A3B1
malloc.MSVCRT ref: 0040A3CF

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: f8da10d288f937eb86023cac6c037111826c2a1de32a8c7e0a0aab0348e0a4d2
Instruction ID: 789c58f6633a799f3ccdadbc4a0bac70c7f1a2e104ed6179fdba0fe567e55c56
Opcode Fuzzy Hash: f8da10d288f937eb86023cac6c037111826c2a1de32a8c7e0a0aab0348e0a4d2
Instruction Fuzzy Hash: 5931EDB49083459FCB00EFA9C5856AEBBF0AF44304F10886EE894E7351E378D994DB57

Function 00410790 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 004107C6
RegQueryValueExA.ADVAPI32 ref: 00410802
malloc.MSVCRT ref: 00410814
RegQueryValueExA.ADVAPI32 ref: 00410841
RegCloseKey.ADVAPI32 ref: 0041085E

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpenmalloc
String ID:
API String ID: 3087825141-0
Opcode ID: da8aec73c22567295960909c3a800c693cf5124f7f3b0def9f79d6b74d7549c4
Instruction ID: 1217e0b8794edc4e031b010a6be2ed351a67450e6abd488551cfa17ba1e0834e
Opcode Fuzzy Hash: da8aec73c22567295960909c3a800c693cf5124f7f3b0def9f79d6b74d7549c4
Instruction Fuzzy Hash: 302187B491830A9FDB00EF69C58569FBBF4FF44354F00881EE894E7241E378D5948B96

Function 00403AE4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

send.WS2_32 ref: 00403A75
recv.WS2_32 ref: 00403AB4

Strings

d9A, xrefs: 00403AC4
<9A, xrefs: 00403A35

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: _vsnprintfrecvsend
String ID: <9A$d9A
API String ID: 2169655391-3684208877
Opcode ID: e8b359e425845bb700784f7dfdd199c0dfdde8338becbbe548a60deb81eb2e56
Instruction ID: 52c586be3d5286e1c27e98d6c6b05f26156bc573bbc9a7378f3ceb3dbd24a318
Opcode Fuzzy Hash: e8b359e425845bb700784f7dfdd199c0dfdde8338becbbe548a60deb81eb2e56
Instruction Fuzzy Hash: 0F31C1B1908302AFD700EF6AD58425BBFE4EB88355F20C82EF49897351D3799644CF96

Function 00401382 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401389
getenv.MSVCRT ref: 00401473

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

getenv.MSVCRT ref: 004014AA

Strings

h7A, xrefs: 004014B3

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: getenv$_vsnprintfmalloc
String ID: h7A
API String ID: 3160696619-676958904
Opcode ID: 487db17d1b4c47ea58c2dea3649691b4fc060ce402f28ef2e464a04554c8b9b0
Instruction ID: 1fc0069b4abfa9b8dfb60568f3aa392d10e3822a04c98d6cd7e49b5590f01b81
Opcode Fuzzy Hash: 487db17d1b4c47ea58c2dea3649691b4fc060ce402f28ef2e464a04554c8b9b0
Instruction Fuzzy Hash: CA4182F44087459ED710EF25C18439EFBE0AF84358F01C86EE5E897292D7B99598CF86

Function 00406764 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 004067A6
fread.MSVCRT ref: 004067E2
fclose.MSVCRT ref: 004068C7

Strings

<A, xrefs: 00406794

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: fclosefopenfread
String ID: <A
API String ID: 2679521937-2242986680
Opcode ID: ff589dd713b73397fdc3e6b5163c27066bcce45e9a8f163bc71680c80bdf0d54
Instruction ID: dbd2f63e4770309578c13372b46e31df310eed181dc9b582002996e537544628
Opcode Fuzzy Hash: ff589dd713b73397fdc3e6b5163c27066bcce45e9a8f163bc71680c80bdf0d54
Instruction Fuzzy Hash: AB3181B55493859FD360EF68C18979EBBE0AFA4304F018C2EE498C7341D7789594CB97

Function 0040C0E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64processthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00404A4E: GetFileAttributesA.KERNEL32 ref: 00404A5A

Part of subcall function 0040536B: fopen.MSVCRT ref: 0040537E
Part of subcall function 0040536B: fread.MSVCRT ref: 004053A4
Part of subcall function 0040536B: fclose.MSVCRT ref: 004053B1

CreateProcessA.KERNEL32 ref: 0040C18C

Part of subcall function 0040C5B8: ReleaseMutex.KERNEL32(?,?,?,?,?,0040C19D), ref: 0040C5CA
Part of subcall function 0040C5B8: CloseHandle.KERNEL32(00000000,?,?,?,?,?,0040C19D), ref: 0040C5D8

Part of subcall function 00403B94: shutdown.WS2_32 ref: 00403BB3
Part of subcall function 00403B94: closesocket.WS2_32 ref: 00403BBF

ResumeThread.KERNEL32 ref: 0040C1AE
ExitProcess.KERNEL32 ref: 0040C1BE

Strings

D, xrefs: 0040C116

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: Process$AttributesCloseCreateExitFileHandleMutexReleaseResumeThreadclosesocketfclosefopenfreadshutdown
String ID: D
API String ID: 1496764705-2746444292
Opcode ID: 98759e6b4141c8037af9f44ae1c225824c537d05bc6d4c53ef4f4bafba89c97f
Instruction ID: 3df724109044ca6045a273acb2a0b903fcea3471b9f62945986bb6794adae1b2
Opcode Fuzzy Hash: 98759e6b4141c8037af9f44ae1c225824c537d05bc6d4c53ef4f4bafba89c97f
Instruction Fuzzy Hash: 9F21E6B04087049AD700AF62C58575EFFE4EF84348F00892EF8D86B282C7BD9549CF8A

Function 0040C46D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 0040C4E8

Part of subcall function 004109E0: RegOpenKeyExA.ADVAPI32 ref: 00410A0D
Part of subcall function 004109E0: RegDeleteValueA.ADVAPI32 ref: 00410A26
Part of subcall function 004109E0: RegCloseKey.ADVAPI32(00000000,00000000), ref: 00410A38

Strings

lEA, xrefs: 0040C510
7EA, xrefs: 0040C4B8
xEA, xrefs: 0040C518

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValuefclose
String ID: 7EA$lEA$xEA
API String ID: 3171391837-703029007
Opcode ID: f80e68b3fa7901b6fad9aa7f6031b78a2ec26a266523b6d1ba26eeaafd0f803a
Instruction ID: 605899f61dfecdf79069195a6bd4902f44fe9ec78421cae17124a412675369a3
Opcode Fuzzy Hash: f80e68b3fa7901b6fad9aa7f6031b78a2ec26a266523b6d1ba26eeaafd0f803a
Instruction Fuzzy Hash: 7021B9F0408700DADB10BF61D5C52AEBBE1AF85748F41896EA4D42B382D7BC8588CB4A

Function 0040491C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32 ref: 004049C0
CloseHandle.KERNEL32 ref: 004049D2
CloseHandle.KERNEL32(?), ref: 004049DE

Strings

D, xrefs: 0040492D

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: d3c95db3079e2714f001d2fff3ef258dd1809fb70e580ee415af3ac449ba6cd0
Instruction ID: b9964cf3b3d70a5b5dc938cb0872cd75bf232a4a120276fd28da50fc377402e5
Opcode Fuzzy Hash: d3c95db3079e2714f001d2fff3ef258dd1809fb70e580ee415af3ac449ba6cd0
Instruction Fuzzy Hash: AC21D8B18043049BDB10DF66C59579FFBF4FF84748F00881EE898AB241C7B99548CB96

Function 0041086E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32 ref: 004108BC
RegSetValueExA.ADVAPI32 ref: 004108FC
RegCloseKey.ADVAPI32 ref: 0041090F

Strings

?, xrefs: 00410892

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: ?
API String ID: 1818849710-1684325040
Opcode ID: c5a9020963ce1851aabbaafaf777da6cb07ebc6527392f3bc5ecaa998ee9963d
Instruction ID: b67772a298c16792d545e4c838f572247838e71552c807cf400b9bdcba797c68
Opcode Fuzzy Hash: c5a9020963ce1851aabbaafaf777da6cb07ebc6527392f3bc5ecaa998ee9963d
Instruction Fuzzy Hash: 6A11F3B49083099FD700DF69C58578EBBE4FB88354F00891EF89897341D775D6988F92

Function 00405105 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0040512E
GetProcAddress.KERNEL32 ref: 0040513F

Strings

9A, xrefs: 0040517C
9A, xrefs: 00405161

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: 9A$9A
API String ID: 2574300362-3490971509
Opcode ID: 441b7707d3960adbc57619bdbd9d5506379f5d47a378f29b1d72181832971a35
Instruction ID: 04f137be5751caa9f4a5b5588fbb0c12bc948d0f94067a8f95b1b9f7478967cd
Opcode Fuzzy Hash: 441b7707d3960adbc57619bdbd9d5506379f5d47a378f29b1d72181832971a35
Instruction Fuzzy Hash: 071182B5A186089AEB10DFA2C8457EFBBF4EF84315F01452ED450AB281D7B94648CBA9

Function 00409E36 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 92stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00408D46: LoadLibraryA.KERNEL32 ref: 00408D5D
Part of subcall function 00408D46: GetProcAddress.KERNEL32 ref: 00408D76
Part of subcall function 00408D46: GetProcAddress.KERNEL32 ref: 00408D8F

strlen.MSVCRT ref: 00409E75
strlen.MSVCRT ref: 00409F1D

Strings

PBA, xrefs: 00409EC6
FBA, xrefs: 00409EBE

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AddressProcstrlen$LibraryLoad
String ID: FBA$PBA
API String ID: 4231066107-499912699
Opcode ID: 2de3b840e7ba08736f63386ae35480bed279397f256ead27d54ca1a60b046580
Instruction ID: affa15661951d38304884d731f73b7bd68e062ff7d470335ea469b935afa205d
Opcode Fuzzy Hash: 2de3b840e7ba08736f63386ae35480bed279397f256ead27d54ca1a60b046580
Instruction Fuzzy Hash: 80413AB4509341AFC780DF69C184A4BBBE0BF88758F809D2EF89997351E778D9848F46

Function 00403403 Relevance: 6.1, APIs: 4, Instructions: 62networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00403433
setsockopt.WS2_32 ref: 0040346D
WSAIoctl.WS2_32 ref: 004034CC
setsockopt.WS2_32 ref: 004034FF

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: setsockopt$Ioctlioctlsocket
String ID:
API String ID: 1196899187-0
Opcode ID: 0bb391b96dbf3d38a92c29b9e60c2eae1ac5346070497d5f3f2441f7f3dab628
Instruction ID: e4fc5efa884be795be492fef96cfd92d81a3c8fdc32e307957207fc162a98f3b
Opcode Fuzzy Hash: 0bb391b96dbf3d38a92c29b9e60c2eae1ac5346070497d5f3f2441f7f3dab628
Instruction Fuzzy Hash: 4E21EAB18043059AD700DF59C14938EFFF4BF84348F50842DE89867251D3BA9A58CF96

Function 0041091E Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00406956), ref: 00410950
RegQueryValueExA.ADVAPI32 ref: 00410985
RegQueryValueExA.ADVAPI32 ref: 004109BD
RegCloseKey.ADVAPI32 ref: 004109D0

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: f9a1e11298a144b2812afb63a1443df88ef18117fa55cb9593c73efa3012817b
Instruction ID: ad302815a94d9cbff96995cd7d5d913b80097c713e0b676eb4f4c36459654616
Opcode Fuzzy Hash: f9a1e11298a144b2812afb63a1443df88ef18117fa55cb9593c73efa3012817b
Instruction Fuzzy Hash: 9721E7B19053099BDB00EF69C64468FFBF4FF44344F00882EE894A7201E3B999588F92

Function 00408620 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004080D4: RegOpenKeyExA.ADVAPI32 ref: 00408133
Part of subcall function 004080D4: RegEnumKeyExA.ADVAPI32 ref: 004085FA
Part of subcall function 004080D4: RegCloseKey.ADVAPI32 ref: 00408613

strlen.MSVCRT ref: 00408662
strlen.MSVCRT ref: 004086C2

Strings

h@A@A, xrefs: 00408643
@A, xrefs: 004086A3

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: strlen$CloseEnumOpen
String ID: h@A@A$@A
API String ID: 2898426016-2382529649
Opcode ID: 1c97a400e97095ab1d72774d38258fb386ff9cd5fc6a7fe21eab2aa335d09b76
Instruction ID: 51cf97fa2a358d26db60f32de82e9788272475af2e5874e69a239f955066867a
Opcode Fuzzy Hash: 1c97a400e97095ab1d72774d38258fb386ff9cd5fc6a7fe21eab2aa335d09b76
Instruction Fuzzy Hash: FB212BB49093409FC780DF29C184A4EBBE0BF88758F419D2EF898A7351E779DA448F46

Function 0040549D Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

fgetpos.MSVCRT ref: 004054C3
fflush.MSVCRT ref: 004054E3
_filelengthi64.MSVCRT ref: 004054EE
fsetpos.MSVCRT ref: 00405518

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: _filelengthi64fflushfgetposfsetpos
String ID:
API String ID: 3378604764-0
Opcode ID: b8486fb11fe7754b215a1ef4d30d8f3613565fd43fe73c70f9e0d83bbc15ba6c
Instruction ID: 2a80c3a635ce7ec15f39c3c18633452c1c03a4374d1a0a1b5fc19e3439c4804e
Opcode Fuzzy Hash: b8486fb11fe7754b215a1ef4d30d8f3613565fd43fe73c70f9e0d83bbc15ba6c
Instruction Fuzzy Hash: 5E0139B090C7019BC750DF25898019BBBE4EE94354F501C2FF890D2252E238D8848F86

Function 004011DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 004011E5
getenv.MSVCRT ref: 004012A5

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Part of subcall function 004053E4: _beginthreadex.MSVCRT ref: 00405417
Part of subcall function 004053E4: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040CE43), ref: 00405423

Strings

U7A, xrefs: 004012AE

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: CloseHandle_beginthreadex_vsnprintfgetenvmalloc
String ID: U7A
API String ID: 32720251-82502779
Opcode ID: d4dcbdb2d31c64d70e03e82ba827809c77499162b74b768b53075e48769a738d
Instruction ID: fa56a288c009368ec5c2b3ada7b9da4447a481c2f367d7306f4d4d80003db507
Opcode Fuzzy Hash: d4dcbdb2d31c64d70e03e82ba827809c77499162b74b768b53075e48769a738d
Instruction Fuzzy Hash: D92167F04087459ED710AF55C18439EBBE0BF84358F018C2EE5E99B281D7BD95849F86

Function 0040D904 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0040D919
SendMessageA.USER32 ref: 0040D940

Part of subcall function 0040AFA3: _vsnprintf.MSVCRT ref: 0040AFC7

Strings

(FA, xrefs: 0040D95A

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: MessageSendVisibleWindow_vsnprintf
String ID: (FA
API String ID: 3977088758-1860655055
Opcode ID: dadd0752c82a856000982f161a48fc1a7d82abcbf255db38dcc4935541e8e948
Instruction ID: 4eaaabdfa58e88587a430831f07749310c2ad3af8c7a434e2e97123cb1b56690
Opcode Fuzzy Hash: dadd0752c82a856000982f161a48fc1a7d82abcbf255db38dcc4935541e8e948
Instruction Fuzzy Hash: 8C012DB0804305AAD710AFA6D9846AFFBE4AF44754F00882FE9C497341D378D5888F86

Function 0040BC47 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040BC7A

Part of subcall function 00405455: LoadLibraryA.KERNEL32 ref: 00405461

Part of subcall function 00405469: GetProcAddress.KERNEL32 ref: 0040547C

Strings

@, xrefs: 0040BCAE
CA, xrefs: 0040BC94

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: AddressCountLibraryLoadProcTick
String ID: @$CA
API String ID: 4181504871-3183928166
Opcode ID: 3ac17904a8ef3f3a48eefd68c97df8659283606dbd0096b0a92b1fb56026e872
Instruction ID: dbbfac58934e84253d124d3bf46070b8f9fbc879e41fbd607e5a7d07a410115f
Opcode Fuzzy Hash: 3ac17904a8ef3f3a48eefd68c97df8659283606dbd0096b0a92b1fb56026e872
Instruction Fuzzy Hash: A611AEB45057089BDB04DF65C5C479ABBF0AF44308F048469D8589F38AD7B8D9448FA6

Function 0040B7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32 ref: 0040B80C
GetComputerNameA.KERNEL32 ref: 0040B823

Strings

8CA, xrefs: 0040B832

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID: ComputerNamegethostname
String ID: 8CA
API String ID: 1822310196-263586042
Opcode ID: c485423bb71edfa6eb4212e0bb602ece1f555ff10f4238791057b934ed26c145
Instruction ID: ccdac55abdf46612838cb21dddca5fc0ed241a160c63ca55aad5798dd9fd3d2a
Opcode Fuzzy Hash: c485423bb71edfa6eb4212e0bb602ece1f555ff10f4238791057b934ed26c145
Instruction Fuzzy Hash: 43F0ECB1809704AFDB00AF55C9815AEFBF8FF44754F40C82EF89897201D77899519B9A

Function 00401847 Relevance: 5.0, Strings: 4, Instructions: 28COMMON

Download Yara Rule

Strings

7, xrefs: 0040186A
6, xrefs: 0040189E
n7A, xrefs: 00401885
7, xrefs: 004018A5

Memory Dump Source

Source File: 00000000.00000002.2061358054.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061341172.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061379904.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061396514.0000000000414000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061412059.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061448439.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ytgzVtg25k.jbxd

Yara matches

Similarity

API ID:
String ID: 6$7$7$n7A
API String ID: 0-3626202689
Opcode ID: a3a654f9e19d5589fc7b7096a42e2a519b1fc551216a01fa312d95c34b72902e
Instruction ID: ef4438e9f39ccb210b149dbafd0cd1418d577e3ef5ec846b32cc5e2c27f4f54f
Opcode Fuzzy Hash: a3a654f9e19d5589fc7b7096a42e2a519b1fc551216a01fa312d95c34b72902e
Instruction Fuzzy Hash: C7F0F6F08083889ADB20AF55C58479EBBA0AB41358F00C99EE59C2A281C3BC4688CF56

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ytgzVtg25k.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NetWire

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ytgzVtg25k.exe_d13bec3fd875e785eec1458ce3a188254910e443_5729f537_3cc227f8-2f14-4289-aee1-7b0f1e0ebc5f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0DB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE14A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1A8.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
ytgzVtg25k.exe

Function 0040C72B Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 111
COMMON

Function 00403B54 Relevance: 4.5, APIs: 3, Instructions: 18
networkCOMMON

Function 004021DA Relevance: .1, Instructions: 81
COMMON

Function 004061D0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 194
windowCOMMON

Function 0040FD21 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 183
keyboardCOMMON

Function 004080D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 279
registryencryptionCOMMON

Function 0040B8A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 221
COMMON

Function 00409681 Relevance: 53.0, APIs: 16, Strings: 14, Instructions: 460
libraryloaderCOMMON

Function 00405DD8 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 199
pipeprocessfileCOMMON

Function 00410CCC Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 232
registryCOMMON

Function 00405A58 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 184
timeprocessCOMMON

Function 0040578A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 171
networkCOMMON

Function 0041217C Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 262
networkCOMMON

Function 0040C941 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 135
fileCOMMON