Edit tour

Windows Analysis Report
inject.exe

Overview

General Information

Sample name:	inject.exe
Analysis ID:	1465712
MD5:	48d87e281c7d316d72677c80ecd02e29
SHA1:	0a274418f78672b8515183a9241fff465e9e8591
SHA256:	e37072b84bc4474b48997ac346582ab4040659a31edacbb88fb59d56609ba2d9
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

inject.exe (PID: 7500 cmdline: "C:\Users\user\Desktop\inject.exe" MD5: 48D87E281C7D316D72677C80ECD02E29)

cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7788 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["79.110.49.233"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
inject.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
inject.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x735c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x73f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x750e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x71ce:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\VSREDIST.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\VSREDIST.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x735c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x73f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x750e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x71ce:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1526464486.000000000273C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x715c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x71f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x730e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fce:$cnc4: POST / HTTP/1.1
Process Memory Space: inject.exe PID: 7500	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.inject.exe.490000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.inject.exe.490000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x735c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x73f9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x750e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x71ce:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\VSREDIST.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\inject.exe, ProcessId: 7500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VSREDIST

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\inject.exe, ProcessId: 7500, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk

Snort Signatures

ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes - Source IP: 79.110.49.233 - Destination IP: 192.168.2.8

Timestamp:	07/02/24-00:30:09.393465
SID:	2852870
Source Port:	7000
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: inject.exe

Malware Configuration Extractor: Xworm {"C2 url": ["79.110.49.233"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VSREDIST.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: inject.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VSREDIST.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: inject.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: inject.exe	String decryptor: 79.110.49.233
Source: inject.exe	String decryptor: 7000
Source: inject.exe	String decryptor: <123456789>
Source: inject.exe	String decryptor: <Xwormmm>
Source: inject.exe	String decryptor: XWorm V5.2
Source: inject.exe	String decryptor: USB.exe
Source: inject.exe	String decryptor: %AppData%
Source: inject.exe	String decryptor: VSREDIST.exe

Source: inject.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: inject.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 79.110.49.233:7000 -> 192.168.2.8:49705

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 79.110.49.233

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 79.110.49.233:7000

Source: Joe Sandbox View

ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ

Source: inject.exe, 00000000.00000002.1526464486.00000000026AA000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: inject.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\inject.exe	Code function: 0_2_00007FFB4B170E69	0_2_00007FFB4B170E69
Source: C:\Users\user\Desktop\inject.exe	Code function: 0_2_00007FFB4B1776D2	0_2_00007FFB4B1776D2
Source: C:\Users\user\Desktop\inject.exe	Code function: 0_2_00007FFB4B179CAD	0_2_00007FFB4B179CAD
Source: C:\Users\user\Desktop\inject.exe	Code function: 0_2_00007FFB4B176926	0_2_00007FFB4B176926

Source: inject.exe, 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyapp.exe4 vs inject.exe
Source: inject.exe, 00000000.00000002.1526629546.00000000126A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyapp.exe4 vs inject.exe
Source: inject.exe	Binary or memory string: OriginalFilenameyapp.exe4 vs inject.exe

Source: inject.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: inject.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: inject.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: inject.exe, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: inject.exe, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VSREDIST.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VSREDIST.exe.0.dr, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: VSREDIST.exe.0.dr, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: VSREDIST.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: VSREDIST.exe.0.dr, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: inject.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: inject.exe, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: inject.exe, 00000000.00000002.1525833338.000000000095C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/5@0/1

Source: C:\Users\user\Desktop\inject.exe

File created: C:\Users\user\AppData\Roaming\VSREDIST.exe

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Users\user\Desktop\inject.exe	Mutant created: \Sessions\1\BaseNamedObjects\rGwGQiDRPDEWiZN6

Source: C:\Users\user\Desktop\inject.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA40.tmp

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat""

Source: inject.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: inject.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\inject.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: inject.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\inject.exe

File read: C:\Users\user\Desktop\inject.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\inject.exe "C:\Users\user\Desktop\inject.exe"
Source: C:\Users\user\Desktop\inject.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Users\user\Desktop\inject.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3	Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: VSREDIST.lnk.0.dr

LNK file: ..\..\..\..\..\VSREDIST.exe

Source: inject.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: inject.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: inject.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: inject.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: inject.exe, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: VSREDIST.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: VSREDIST.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: VSREDIST.exe.0.dr, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: inject.exe, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: inject.exe, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: inject.exe, Messages.cs	.Net Code: Memory
Source: VSREDIST.exe.0.dr, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: VSREDIST.exe.0.dr, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: VSREDIST.exe.0.dr, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\inject.exe

File created: C:\Users\user\AppData\Roaming\VSREDIST.exe

Jump to dropped file

Source: C:\Users\user\Desktop\inject.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VSREDIST			Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VSREDIST			Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\inject.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\inject.exe	Memory allocated: D00000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Memory allocated: 1A690000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Window / User API: threadDelayed 2825			Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Window / User API: threadDelayed 7032			Jump to behavior

Source: C:\Users\user\Desktop\inject.exe TID: 7644	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe TID: 7648	Thread sleep count: 2825 > 30	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe TID: 7648	Thread sleep count: 7032 > 30	Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: inject.exe, 00000000.00000002.1525833338.0000000000A12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_C
Source: inject.exe, 00000000.00000002.1526954634.000000001B660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\inject.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat""			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout 3			Jump to behavior

Source: C:\Users\user\Desktop\inject.exe	Queries volume information: C:\Users\user\Desktop\inject.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\inject.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\inject.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: inject.exe, 00000000.00000002.1526954634.000000001B6AF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\inject.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: inject.exe, type: SAMPLE
Source: Yara match	File source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1526464486.000000000273C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inject.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: inject.exe, type: SAMPLE
Source: Yara match	File source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1526464486.000000000273C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: inject.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	131 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
inject.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
inject.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\VSREDIST.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VSREDIST.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
79.110.49.233	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
79.110.49.233	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	inject.exe, 00000000.00000002.1526464486.00000000026AA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.110.49.233	unknown	Germany		57287	OTAVANET-ASCZ	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465712
Start date and time:	2024-07-02 00:29:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	inject.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/5@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 40 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target inject.exe, PID 7500 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: inject.exe

Simulations

Behavior and APIs

Time	Type	Description
00:30:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run VSREDIST C:\Users\user\AppData\Roaming\VSREDIST.exe
18:30:00	API Interceptor	9x Sleep call for process: inject.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OTAVANET-ASCZ	RSPTzXqdcr.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, SugarDump, XWorm	Browse	79.110.49.209
	3C5XR6Oj4g.exe	Get hash	malicious	RedLine	Browse	79.110.49.209
	17173975854cf2f83c89e5b8cb6d3f7fbfb13c91374b38f58a44f4c13da06a8fc0d75eb220903.dat-decoded.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	3kQyFl1vUy.exe	Get hash	malicious	Socks5Systemz	Browse	79.110.49.184
	file.exe	Get hash	malicious	Socks5Systemz	Browse	79.110.49.184
	SecuriteInfo.com.Win64.PWSX-gen.29898.16595.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.PWSX-gen.10080.20186.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.PWSX-gen.7038.2908.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.PWSX-gen.3439.2109.exe	Get hash	malicious	XWorm	Browse	79.110.49.133
	SecuriteInfo.com.Win64.DangerousSig.15709.19314.exe	Get hash	malicious	XWorm	Browse	79.110.49.133

Process:	C:\Users\user\Desktop\inject.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1727
Entropy (8bit):	5.3718223239563105
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6o6+vxp3/elStHTHhAHKKkhHNp51qHGIs0HKD:iqbYqGSI6o9Zp/elStzHeqKkhtp5wmjB
MD5:	31EF241F1F20FCB19A5F31BA847A045B
SHA1:	EF969D35B4517591F0761196C80EC3596497D890
SHA-256:	06C7CEBB25F733FC6E607865E9268C51ED87F001379A5C35A8FB1BEF13756D31
SHA-512:	8643C52CA4C18D62EF54591EB342E60C11B40BFA0680B3ECD63BF4B9A67486CCEA4B5FA3EE0ACEAAB835D2501894B1AE8A0077FC19B8C51D1192D671A83E30F4
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0

C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat

Download File

Process:	C:\Users\user\Desktop\inject.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	4.975604651070296
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtv3DCHyOWORHvhs9M7AOwDwU1hGDCHyg4E2J5xAInTRIORVm5ZPy:hWKqTtLCH7O9MQDNeCHhJ23fTva5k
MD5:	5E1A9C54B161B50B88749A15967C9FA2
SHA1:	05813AB74D041D54447E8B4881027CEC9A003602
SHA-256:	69787C8DD6F829048C692A527D6BA631581AA308D7511AD70E10D877651B5B22
SHA-512:	45D813319F07278523DFD6E6C70517D831763E483D7106BABEF469A439F377BFAD61F0A8D6716686F34AA6DB804B627CEE711427B90FFACA46B03758959EEDD8
Malicious:	false
Reputation:	low
Preview:	@echo off..timeout 3 > NUL..CD C:\Users\user\Desktop..DEL "inject.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpA40.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk

Download File

Process:	C:\Users\user\Desktop\inject.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 1 21:30:00 2024, mtime=Mon Jul 1 21:30:00 2024, atime=Mon Jul 1 21:30:00 2024, length=135168, window=hide
Category:	dropped
Size (bytes):	772
Entropy (8bit):	5.101671407194338
Encrypted:	false
SSDEEP:	12:8RwCi4pskChs3oY//mFsIL2ipY9OjAgEHsHDTYv1bA5tA5jmV:8RDpFffuOKg0AKYNbAnAxm
MD5:	0C4E8CE3206710BAC3157122FC62EE60
SHA1:	D53784D72E573C61A06899A4C3CDD72EAA5DBA2F
SHA-256:	47CB6A2FC11B231B47098F570F2C2E60710DFC5BC0650E960084E1E69C10AFC9
SHA-512:	A7B95CE91AFD8653C31BD09B48313BA92B90565F5484EDFDB236525128C597F16B20BF135A4DE66723E0635E1B150750D4A8F795BDF66CB16856745B478D3708
Malicious:	false
Reputation:	low
Preview:	L..................F.... ......5.......5.......5............................z.:..DG..Yr?.D..U..k0.&...&.......y.Yd... \|.......{.5........t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.X............................d...A.p.p.D.a.t.a...B.V.1......X....Roaming.@......EW)B.X............................'B..R.o.a.m.i.n.g.....f.2......X.. .VSREDIST.exe..J.......X...X......."....................h...V.S.R.E.D.I.S.T...e.x.e.......[...............-.......Z...........[.If.....C:\Users\user\AppData\Roaming\VSREDIST.exe........\.....\.....\.....\.....\.V.S.R.E.D.I.S.T...e.x.e.`.......X.......830021...........hT..CrF.f4... .D..Yc...,...E...hT..CrF.f4... .D..Yc...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\VSREDIST.exe

Download File

Process:	C:\Users\user\Desktop\inject.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	4.8978796940686875
Encrypted:	false
SSDEEP:	3072:y+6ESFy9YROjYGBz65/M6If+3Js+3JFkKeTnr:VEy9EGxBt25
MD5:	48D87E281C7D316D72677C80ECD02E29
SHA1:	0A274418F78672B8515183A9241FFF465E9E8591
SHA-256:	E37072B84BC4474B48997AC346582AB4040659A31EDACBB88FB59D56609BA2D9
SHA-512:	82D2F1888C115ED4371585118693BE16F7251814287BE1917F1B81280E20759C476C690C1FEC7479C3BC9C1575825F9512EA362AF71F2CB2B6C7E43F049AEA6E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\VSREDIST.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\VSREDIST.exe, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^%.f................................. ........@.. .......................`............@.................................`...K.......l....................@....................................................... ............... ..H............text....~... ...................... ..`.rsrc...l...........................@..@.reloc.......@......................@..B........................H.......XS...K............................................................(......(.....s.........s.........s.........s............0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0..........~....o.....+....0............(....(.....+......0...........(.....+....0...............(.....+....0...........(.....+....0................-.(...+.+.+...+...0...........................(.....0.. .......~.........-.(...+.....~.....+....(.....0..

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.8978796940686875
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	inject.exe
File size:	135'168 bytes
MD5:	48d87e281c7d316d72677c80ecd02e29
SHA1:	0a274418f78672b8515183a9241fff465e9e8591
SHA256:	e37072b84bc4474b48997ac346582ab4040659a31edacbb88fb59d56609ba2d9
SHA512:	82d2f1888c115ed4371585118693be16f7251814287be1917f1b81280e20759c476c690c1fec7479c3bc9c1575825f9512ea362af71f2cb2b6c7e43f049aea6e
SSDEEP:	3072:y+6ESFy9YROjYGBz65/M6If+3Js+3JFkKeTnr:VEy9EGxBt25
TLSH:	78D30682B600C2E1E47C4A73E556E5F10F32BC1FEB1A691F3984BF473973151AD12A6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^%.f................................. ........@.. .......................`............@................................

File Icon


Icon Hash:	2f46d6d76e6a6c37

Static PE Info

General

Entrypoint:	0x409eae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6683255E [Mon Jul 1 21:53:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9e60	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa000	0x18b6c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7eb4	0x8000	8a97dee514de440f7fe22491c070e45e	False	0.49365234375	data	5.690249087778276	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa000	0x18b6c	0x18c00	bc3c4b9519d9ecb41b6d9f705a7a0c13	False	0.27762981376262624	data	4.261924264212458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24000	0xc	0x200	410dde75e596ac88218cc283e22f7235	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa1f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	0.41286307053941906
RT_ICON	0xc798	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m	0.34559518186112426
RT_ICON	0x109c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	0.7898936170212766
RT_ICON	0x10e28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	0.4800656660412758
RT_ICON	0x11ed0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	0.21581095469064238
RT_GROUP_ICON	0x226f8	0x4c	data	0.7631578947368421
RT_VERSION	0x22744	0x23c	data	0.4755244755244755
RT_MANIFEST	0x22980	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-00:30:09.393465	TCP	2852870	ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes	7000	49705	79.110.49.233	192.168.2.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 00:30:01.750180006 CEST	49705	7000	192.168.2.8	79.110.49.233
Jul 2, 2024 00:30:01.757086992 CEST	7000	49705	79.110.49.233	192.168.2.8
Jul 2, 2024 00:30:01.757215977 CEST	49705	7000	192.168.2.8	79.110.49.233
Jul 2, 2024 00:30:01.922210932 CEST	49705	7000	192.168.2.8	79.110.49.233
Jul 2, 2024 00:30:01.928345919 CEST	7000	49705	79.110.49.233	192.168.2.8
Jul 2, 2024 00:30:09.393465042 CEST	7000	49705	79.110.49.233	192.168.2.8
Jul 2, 2024 00:30:09.438118935 CEST	49705	7000	192.168.2.8	79.110.49.233
Jul 2, 2024 00:30:10.310767889 CEST	49705	7000	192.168.2.8	79.110.49.233

Target ID:	0
Start time:	18:29:55
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\inject.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\inject.exe"
Imagebase:	0x490000
File size:	135'168 bytes
MD5 hash:	48D87E281C7D316D72677C80ECD02E29
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1526464486.000000000273C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:30:09
Start date:	01/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat""
Imagebase:	0x7ff610880000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:30:09
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:30:09
Start date:	01/07/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout 3
Imagebase:	0x7ff68b0b0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 00007FFB4B179CAD Relevance: 2.4, Strings: 1, Instructions: 1149COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B17A78A

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5d8463214a742f58b892d282635b61cee4df3900f24b740b604d0cb3a8dcb371
Instruction ID: 9c56e298c2c66a08a61662b73d5e33675fd0657ad73c51fed6ccb7f4703464b8
Opcode Fuzzy Hash: 5d8463214a742f58b892d282635b61cee4df3900f24b740b604d0cb3a8dcb371
Instruction Fuzzy Hash: 0B8260B4A3C90A4FEB98FF38C55567D72D2EF98304B508579D64EC32D6DE28AC528B40

Function 00007FFB4B170E69 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFB4B1710C1

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: 3feff65f5352cc9f727a37e1796fa7679a6d922fe843fdf564a6bf102df5ff32
Instruction ID: 1cab5b0d89bc07cd15819f41ae076da54f3ea403c33524dbb505dc463c790dce
Opcode Fuzzy Hash: 3feff65f5352cc9f727a37e1796fa7679a6d922fe843fdf564a6bf102df5ff32
Instruction Fuzzy Hash: 2C12D4B1B2DA494FEB98FF78C4692B977D1EF88700F504579E54EC32D2DE28A8418741

Function 00007FFB4B176926 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ddf641953651ff01bcccb42505517a5e158cd09f685ef849687070dc98db9a
Instruction ID: c52efb9333bd6db8ca6205a3e083f61862ba9923bd42784f309148040bec374c
Opcode Fuzzy Hash: 28ddf641953651ff01bcccb42505517a5e158cd09f685ef849687070dc98db9a
Instruction Fuzzy Hash: 58F1B47091CA8D8FEBA9EF28C8557E937D1FF59310F04826EE84DC7291DB3499458B82

Function 00007FFB4B1776D2 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdfc3bd00ae83419bc9c354e8fc3d8b335e738a6612c19654b3b5e8a3e56104b
Instruction ID: 6802dc33d7497daeef3eb16fd9d27c01ef3f2bbf01d3572da5d46bf11644a463
Opcode Fuzzy Hash: cdfc3bd00ae83419bc9c354e8fc3d8b335e738a6612c19654b3b5e8a3e56104b
Instruction Fuzzy Hash: F5E1D27091CA8E8FEBA9EF28C8567F977D1EF54310F14826ED84DC72A1CE7498418B81

Function 00007FFB4B178481 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFB4B1784F3

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 20f62743a02934a8a504826562cf3d6af67aac7809e339b97bb34091a4d1ebe5
Instruction ID: 77a54668862ea4b8df5acbd528487013e0bfdfe6fa683cf217e0560dfd1d17b2
Opcode Fuzzy Hash: 20f62743a02934a8a504826562cf3d6af67aac7809e339b97bb34091a4d1ebe5
Instruction Fuzzy Hash: 3E21D7B1C1C25A4FEB00AFB4C8056EDBBE0EF46314F0441BBD689D71A2DA2C98458B91

Function 00007FFB4B171DF1 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFB4B171E36

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: 8ec95e0b439f044f5d6f3b18096427fe54ad0ff00367c6abd05d6cc53c31c622
Instruction ID: 2e14c5e0930b80c58adb0691663d9d46acbbe0725f190d120b0cb8f8145b87ad
Opcode Fuzzy Hash: 8ec95e0b439f044f5d6f3b18096427fe54ad0ff00367c6abd05d6cc53c31c622
Instruction Fuzzy Hash: 721108A1D1D7824FE717BB38C9655683F61AF82714F4841B5D284C70E3CE2C68228B51

Function 00007FFB4B171E58 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SAO_^, xrefs: 00007FFB4B171E36

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID: SAO_^
API String ID: 0-3650529936
Opcode ID: a5c61312f90cb6a1d83e8d2b712df70c3dc4173e31963ead54b67911a254f86c
Instruction ID: 50be4f38d4b18e93ff59ade238017d7d5a579d75ee7fc7690b2ed81b3858164b
Opcode Fuzzy Hash: a5c61312f90cb6a1d83e8d2b712df70c3dc4173e31963ead54b67911a254f86c
Instruction Fuzzy Hash: BAF062B1D2C6168FE356EF34C54157973A2AF95318F548578D349831E1CF28B4718B40

Function 00007FFB4B1727FA Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3e9b36959d4f3ca40373a58eecd84014cb72c1b33029d75c7ace01dcde07de
Instruction ID: 494ea341d5da8d0aff93f9d6504202f19003f24a938f748660e9a3d8485131b5
Opcode Fuzzy Hash: 8e3e9b36959d4f3ca40373a58eecd84014cb72c1b33029d75c7ace01dcde07de
Instruction Fuzzy Hash: 40E15AA2A1DA850FE74AFB3C98652E83BE1EF86614B4841FFD189C71D3DD2858078791

Function 00007FFB4B170820 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191004c423594c789fdc5b15f7f76b136fe45de0b4d8ec649e4c0d5ad734e5a8
Instruction ID: 3203cc87dae077fac87f4921baf684373a483775f4e17c1acc743473545df4ca
Opcode Fuzzy Hash: 191004c423594c789fdc5b15f7f76b136fe45de0b4d8ec649e4c0d5ad734e5a8
Instruction Fuzzy Hash: 1AC117B0A2CE5D8FDB98EF3CC49466877D1FB59754B5445B8E18EC32E6CE34A8418B80

Function 00007FFB4B1728FA Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c26e5e9500890921ea6bde493f08be1fe96a3f68bbba9d72dfac41fa308fd13
Instruction ID: ad5df702bf1c11de8d6dcca774d324a0d9666742a8345124caf6ee00ab105984
Opcode Fuzzy Hash: 8c26e5e9500890921ea6bde493f08be1fe96a3f68bbba9d72dfac41fa308fd13
Instruction Fuzzy Hash: 44B17BA1A2CA494FEB99FB3CC4652B877D1EF8A614F5441BED18EC32D7DD2858038781

Function 00007FFB4B172D45 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4435140d44beb205f81d599bc9d4086f0620909a26d515a55b5ae1ee2bb333cf
Instruction ID: be29c23ce8f6f70e45c741ac5b3e339d3a7f0d9eee91f5f2ca1ea99a474ed09a
Opcode Fuzzy Hash: 4435140d44beb205f81d599bc9d4086f0620909a26d515a55b5ae1ee2bb333cf
Instruction Fuzzy Hash: C7B1DAA072D9058FEB49BB7CC869379B2D6EF9A700F5001B9D44DC32E7DD286C428762

Function 00007FFB4B1772E6 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 414e0ed2dce0d8ccf443e5b4dbbf65121aa5f102cf30aa67a78c50b95e45e779
Instruction ID: 11898c3514cb268fa4ca988bfa158e103f0b134cee9a0b25e71c55add738716b
Opcode Fuzzy Hash: 414e0ed2dce0d8ccf443e5b4dbbf65121aa5f102cf30aa67a78c50b95e45e779
Instruction Fuzzy Hash: 48B1D57051CA8D8FEB69EF38D8557E93BD1EF55310F14826EE88DC7292CA349845CB82

Function 00007FFB4B178B6A Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ec237bf17a5de39dd9e8852f1e88e9f6735fd731c2269197638d58636d6aeb
Instruction ID: 701a54323e569e9e1a349455724de9294a15da367183b5d633a3919af3fe8790
Opcode Fuzzy Hash: 62ec237bf17a5de39dd9e8852f1e88e9f6735fd731c2269197638d58636d6aeb
Instruction Fuzzy Hash: A9A1E6B0A2D91A4FEB59FF38C8456BC77E1EF48304F4441B9D54DC32E2DE29A8428B51

Function 00007FFB4B17ADC5 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c533ae65af4cb6d0fc262fe0e1becdda0d162c43510cb89664268919b12d838
Instruction ID: ac7717d686d0eb5b3257587d0700049ad3e9fcd0916951f1e33d9313c8f63c1c
Opcode Fuzzy Hash: 3c533ae65af4cb6d0fc262fe0e1becdda0d162c43510cb89664268919b12d838
Instruction Fuzzy Hash: 74A181B1A2D91A4FEB9AFF38C4597BD73D1EB58304F40447AD90EC32A2DD286C418780

Function 00007FFB4B17AE15 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd38609d7028fedf3de16b9f3e03c16bce27242027fe9609693ea45a4500c36
Instruction ID: b9b7384c828ca739be91d9f3ac5a8dad5f8c78a6f369dccf9c6633f8f170cbbc
Opcode Fuzzy Hash: 1fd38609d7028fedf3de16b9f3e03c16bce27242027fe9609693ea45a4500c36
Instruction Fuzzy Hash: C29190A0A2D95A4FEB9AFF38C4557B977E1EF58304F40447AD94DC32E2DE28AC418781

Function 00007FFB4B178F5D Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea28228b7f940399d78aea7982af67624a0430d1b131085b97a466980e42f059
Instruction ID: 9a527979b0b9edc3cf7537ad5e4244ee4e0196c3d5a6ef62dae6060735565713
Opcode Fuzzy Hash: ea28228b7f940399d78aea7982af67624a0430d1b131085b97a466980e42f059
Instruction Fuzzy Hash: 3D810671A2C9595FDB59EF38C8596F977E1EF99310F0441BAE14EC32E2CD286C428B81

Function 00007FFB4B170588 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56480fe658f7428624670fe0122026aef47d02a0e3984e5f1dd1520e788f5eea
Instruction ID: 1ccb8757efe555387f7d604c23bd158d54f0ef8601d440f0c505014209736b8f
Opcode Fuzzy Hash: 56480fe658f7428624670fe0122026aef47d02a0e3984e5f1dd1520e788f5eea
Instruction Fuzzy Hash: 7C6136B1A2DA0B4FE799BF7CD81A2BD77D1EF89211F4440BAD58DC3292DD286C424780

Function 00007FFB4B17951D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c84b0e444c54679a3cedfb112247b804cfa675630de408a1abd859d2321f8
Instruction ID: c748c665bde817cce8268f2094e1d474c75e4e80476307d1197879c6a3762005
Opcode Fuzzy Hash: 422c84b0e444c54679a3cedfb112247b804cfa675630de408a1abd859d2321f8
Instruction Fuzzy Hash: 596158B080D6898FD749EF78C8556B87BF0EF66314F0482BFD148C71A2DB28A846CB51

Function 00007FFB4B17856D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74df9ba2c91508e6534ec399fa345bf8f49bef88c7c485ddbec137f0a42bc93d
Instruction ID: fc2a7c653547dd6ca7473d975b380847874f303d06a5bfc3f95cc3e3c6422cdc
Opcode Fuzzy Hash: 74df9ba2c91508e6534ec399fa345bf8f49bef88c7c485ddbec137f0a42bc93d
Instruction Fuzzy Hash: 1E517170918A0D8FDB58EF68D8457EDBBF1FF99310F1082AAD44DD3252DA34A8428F81

Function 00007FFB4B178C75 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af114f5698af46f10dc5296110eb3c8af07472a255c2a238136ecbb5ba07e4c
Instruction ID: 37ad8132153e89131c6229f37f1fdccde237c70a9091f20264b7ad484a159c5e
Opcode Fuzzy Hash: 4af114f5698af46f10dc5296110eb3c8af07472a255c2a238136ecbb5ba07e4c
Instruction Fuzzy Hash: 466190B0A2D91A5FEB95FF38D4456BC77E1EF98304F4041BAE64DC32E2DE2868418B40

Function 00007FFB4B172288 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b064749be207ffb6d92897fd1ad356aca566dc1cb1a6018cff396ad9de7b01
Instruction ID: a937fb2b0672b86178dac2866b6820624c01e75047c5e6e34403f6bc89b9a959
Opcode Fuzzy Hash: 23b064749be207ffb6d92897fd1ad356aca566dc1cb1a6018cff396ad9de7b01
Instruction Fuzzy Hash: FA610770D1D6864FEB4AAB7484112A9BBE1EF17314F1842E9D199C71E3CD6CA843CB91

Function 00007FFB4B178FB0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0919835d12b565779f3c63b25f2827d1b19055d64f7153a2012a96a18494edc
Instruction ID: eb2a7cbd02d4d86a5cf18cf014f87bf18e903dd4a593fab80436233bd334d3c0
Opcode Fuzzy Hash: c0919835d12b565779f3c63b25f2827d1b19055d64f7153a2012a96a18494edc
Instruction Fuzzy Hash: F051B371A2891C9FDB99FF38C459ABDB7E1EF98350F444579E14ED32A2CE24AC418B40

Function 00007FFB4B17421C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d72e2de6675543813e78cc28f36918a6804809d47078909520fc0ce2f6c64a
Instruction ID: 6a637208057fcd8a183a05b6ff5286219a86b0df463e62d1fce1b4839b74a6e6
Opcode Fuzzy Hash: c7d72e2de6675543813e78cc28f36918a6804809d47078909520fc0ce2f6c64a
Instruction Fuzzy Hash: 3651A370918A1C8FDB59EF68D845BE9BBF1FB59310F0082ABD44DD3252DE34A9858F81

Function 00007FFB4B17815A Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26eead4cb61f9c2007e7d85367825f1bb54b7aa9fb0ddec7c86d100b8ffc27dd
Instruction ID: c00759565e9aaa258e453fbd68b1941f42167ad41440bef2fed1566d42be8427
Opcode Fuzzy Hash: 26eead4cb61f9c2007e7d85367825f1bb54b7aa9fb0ddec7c86d100b8ffc27dd
Instruction Fuzzy Hash: 67210892A2DB9A5FEB42BB7C98151E87FA0EF62254B0841F7D688C7093D914584583D2

Function 00007FFB4B178CCF Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c692cdeaaf2d5384ee0e93d83e4cb631a3100c9fb885856ab2e5b67413e97af
Instruction ID: 9d30b228a66da3c30d483405ae5b7086862d40b5cbc25ef7069347a6dee2da83
Opcode Fuzzy Hash: 4c692cdeaaf2d5384ee0e93d83e4cb631a3100c9fb885856ab2e5b67413e97af
Instruction Fuzzy Hash: DA5109B0A2D94A4FEB56EF38D8556BC77E2FF95304F0440BAD549C32E2DE286C418B41

Function 00007FFB4B171FE5 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d67b6cb6086ea75cd21c5f1ee719b79df5a71f66ab33f5fb10eb60fd56da31
Instruction ID: ede1f4435013d08420aceafd80c3a113d07f4e03c71c0d836b01a3944047126d
Opcode Fuzzy Hash: 05d67b6cb6086ea75cd21c5f1ee719b79df5a71f66ab33f5fb10eb60fd56da31
Instruction Fuzzy Hash: B651A2B090DA0D8FDF98EF28D465AA977E0FF55311F10416ED14AC36A1CB75D882CB81

Function 00007FFB4B170BEE Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc56a9f89fb046b3f065c1bd05de02b1068828dcea003953f2e3e2ec761aa4e
Instruction ID: 6838bf762ea795cefded4c2c720457685b8776f9132b8e370d2a3309d73dd164
Opcode Fuzzy Hash: 7dc56a9f89fb046b3f065c1bd05de02b1068828dcea003953f2e3e2ec761aa4e
Instruction Fuzzy Hash: 9E410961A1DB9A0FE797BB7C941927977D2DFC6214B4840FBD98DC3293DC18AC428351

Function 00007FFB4B1788D1 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eefcb5b45acc1d21a2d661b263da40d4ac50862113abcd1a71dfd1067d67d092
Instruction ID: 5310305d3334f6cb9d29d58204571b1530afb2a26dd06bbe08204f61b9394b33
Opcode Fuzzy Hash: eefcb5b45acc1d21a2d661b263da40d4ac50862113abcd1a71dfd1067d67d092
Instruction Fuzzy Hash: 9C41C2B1A18A094FDB85EF78C4596FCB7F2EF99310B0441BAD549D32A2EF389C418B51

Function 00007FFB4B170949 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdc4d882992065281e1b763ca896e34dad1a786908f6ba7f83081d2d5416cd3
Instruction ID: 44be39db50d5d3eb9634ab69dc1f2ecf9d2552e0794cad0a2c776a7b86fca9da
Opcode Fuzzy Hash: 9cdc4d882992065281e1b763ca896e34dad1a786908f6ba7f83081d2d5416cd3
Instruction Fuzzy Hash: C931C4B0A19A4A8FDB49FFB8C8696FD77A1FF89700F544479D509D32C6CE3868428B50

Function 00007FFB4B171665 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da4a2fb27ee70e5ea616391730cc4850a3f3f6ca99c50cd5b6711d1c6e5d0a6
Instruction ID: b846bb3804f14065441010cd497f4ed9ecbad7942fde6868569ea095b7145111
Opcode Fuzzy Hash: 2da4a2fb27ee70e5ea616391730cc4850a3f3f6ca99c50cd5b6711d1c6e5d0a6
Instruction Fuzzy Hash: 8F319F60B1DA494FE789FF3CD45A378B2C2EB98301F1405BEA44EC3293DD689C418741

Function 00007FFB4B178799 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeafb07e1430593da40ce49c336034b9a74409541a6f6eaf4e8f10f84d50aa76
Instruction ID: 83ee239d33b860ee674bbd841a1993f6e8340622699b5897d0ffba921d27ca4b
Opcode Fuzzy Hash: eeafb07e1430593da40ce49c336034b9a74409541a6f6eaf4e8f10f84d50aa76
Instruction Fuzzy Hash: 8D31047055CA9A8FDB4AFF38C4915A83BF0FF16314B4401EAD049C72E2CE38A881CB41

Function 00007FFB4B170A89 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5007947a8ddcc296f76f4cb9b2f1325dff1a83bdf793f47310624df5c15100c5
Instruction ID: a91b80aa4df82c740199f216ace72cf8474a273ab9d81b94d86cead13635ee95
Opcode Fuzzy Hash: 5007947a8ddcc296f76f4cb9b2f1325dff1a83bdf793f47310624df5c15100c5
Instruction Fuzzy Hash: 7E21E791A2CB464FF7457BB8885D3B87BD2EF95B04F0441BAE44DC32D3DD2899018B52

Function 00007FFB4B1783C1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f67d05ee0f40f5531410b0d37834a7afb402b83c31cf4829071c1d8ed3a2cf
Instruction ID: 6d9ac22bac1c99d713c4288c9615918f42c25d17d1d98c53966e77c691efad91
Opcode Fuzzy Hash: 30f67d05ee0f40f5531410b0d37834a7afb402b83c31cf4829071c1d8ed3a2cf
Instruction Fuzzy Hash: DA0126B2D19A4D0FDB46EFB8881A1EE7BF1FF14201F4001B7D548C7192DE2899008781

Function 00007FFB4B171C51 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd56b6261f2890658668ae131c8107a061958990fac26464c4461cd05004dd8c
Instruction ID: 27ddddd5f3b2917c86a35cfe7e551885fb8520e364a0e2ca0401c0e4ade57dee
Opcode Fuzzy Hash: bd56b6261f2890658668ae131c8107a061958990fac26464c4461cd05004dd8c
Instruction Fuzzy Hash: 8AF090A189E3C90FD7035BB54C355A17FB4AF53204B4D42DBE5C88B0A3C61866288762

Function 00007FFB4B171761 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8a2e2465990daceb848e9e8dbcbc7c536a262af9048d350db8c23ed1841e70
Instruction ID: 87304ff4e71bd5ba2a3fa89bededc2cd04391deacbab3e99b5a8e88f1f88b489
Opcode Fuzzy Hash: ba8a2e2465990daceb848e9e8dbcbc7c536a262af9048d350db8c23ed1841e70
Instruction Fuzzy Hash: 4F01769491C7C40FE742BE3CA8620317FE09F82604B0844AAE6C8C70E3EC18A9518782

Function 00007FFB4B171F61 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e01a3972c7a2abbda8299bf1a8f75d2198aeb8791b5e9de9327cb69c6d7d8b1
Instruction ID: cc819da8eb9ca124d1c6f5ebb232fb9ebe20abffddc6303a75b9bed5ae0ccfba
Opcode Fuzzy Hash: 7e01a3972c7a2abbda8299bf1a8f75d2198aeb8791b5e9de9327cb69c6d7d8b1
Instruction Fuzzy Hash: 80F026C1D1D3920BF7957B78C4672B829C19F40304F5480B9D38DC32E3CE5CA8618741

Function 00007FFB4B179B9D Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8128fd44e03241efc72cab356413a01651c9aac48d8ae541e3bbc2b5f63ff5
Instruction ID: 9a615f1ae251d566333fcaed23931160b8d879c9976240b7eff10dba28f1786c
Opcode Fuzzy Hash: 5d8128fd44e03241efc72cab356413a01651c9aac48d8ae541e3bbc2b5f63ff5
Instruction Fuzzy Hash: 4801DCA446F3C96FCB53AB348820892BFB0AF03229B0845EBE1D88B0A3D5081118CB42

Function 00007FFB4B170B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2389e4b16049f60eeae2007f4a1936719a62666418d6f458ef2fe61c5f63548a
Instruction ID: 89ff76eb71948b31250cd567d1edec54d6ec7a8174e445e29ad8dee3631ab712
Opcode Fuzzy Hash: 2389e4b16049f60eeae2007f4a1936719a62666418d6f458ef2fe61c5f63548a
Instruction Fuzzy Hash: AFE06D61B189198FAF81BBBCD4492FCB2D2EBCC211B100177DA0DD3292DE2858418790

Function 00007FFB4B17B1DE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d3b21ea2d8f0e320682bb5725fac58beed70bb8e6a711c783d50f84cd7614c
Instruction ID: a900d23b00d5a26f9ae17b865603e9bb65faaefe64275b6073a5db231d8c85f2
Opcode Fuzzy Hash: c9d3b21ea2d8f0e320682bb5725fac58beed70bb8e6a711c783d50f84cd7614c
Instruction Fuzzy Hash: 89E0723695CA8C4BCB00BEA9EC204C6BBA1FBC9308F0101AAE59CC7291D2628625C385

Function 00007FFB4B179BF5 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3470239d6c2e1d1d8db50046371296d7767ad04450776460d0497494a382e657
Instruction ID: b1badb56f68cc32f9eb4f96fb88d93f163bf1e6695e55715447be8449067ee70
Opcode Fuzzy Hash: 3470239d6c2e1d1d8db50046371296d7767ad04450776460d0497494a382e657
Instruction Fuzzy Hash: 82E08CB185E6CD0EDB12AB3889220D8BF60FE52200F8901E7E698C70A3E95941298782

Non-executed Functions

Function 00007FFB4B1706BD Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

O_^, xrefs: 00007FFB4B170772
O_^, xrefs: 00007FFB4B170722
O_^, xrefs: 00007FFB4B1707BA
O_^, xrefs: 00007FFB4B17077A

Memory Dump Source

Source File: 00000000.00000002.1527812730.00007FFB4B170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b170000_inject.jbxd

Similarity

API ID:
String ID: O_^$O_^$O_^$O_^
API String ID: 0-138518006
Opcode ID: 158b28ecd627ccaa288578582487f98d98a498ed58ccd619bbec4f50ff4ded2a
Instruction ID: cdcb8150e69b0a0252269ae29acdd3d1dbe004359dbcf9e62ff1e12b7b2c9340
Opcode Fuzzy Hash: 158b28ecd627ccaa288578582487f98d98a498ed58ccd619bbec4f50ff4ded2a
Instruction Fuzzy Hash: AD313AE7C0E7C55FE352ABBC9DE91E83F90EF5216D71840F6C2C98E1A3F804544A8A51

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report inject.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\inject.exe.log

C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk

C:\Users\user\AppData\Roaming\VSREDIST.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
inject.exe