Edit tour

Windows Analysis Report
rnoahcrypter.exe

Overview

General Information

Sample name:	rnoahcrypter.exe
Analysis ID:	1467149
MD5:	d560a00761c873c47778db0e4501b93e
SHA1:	c8032767d547373b2d4c56045eaebb831d49fc3a
SHA256:	e0b2a21d46eaafd76da52888f1fbbca89592301d69cf9cfe6be58992aa021f9a
Tags:	exeRedLineStealer
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rnoahcrypter.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\rnoahcrypter.exe" MD5: D560A00761C873C47778DB0E4501B93E)

RegSvcs.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\rnoahcrypter.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.magna.com.pk", "Username": "atif@magna.com.pk", "Password": "Yil}b95u0Q2x"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1649642845.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 EF 88 44 24 2B 88 44 24 2F B0 DC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000001.00000002.2883331990.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 EF 88 44 24 2B 88 44 24 2F B0 DC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000001.00000002.2884628166.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4071b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40837:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x408a1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40913:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f833:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fac1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2884628166.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6716	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 EF 88 44 24 2B 88 44 24 2F B0 DC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.2cb0ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2cb0ee8.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2cb0ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2cb0ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dabd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcc1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rnoahcrypter.exe.3d40000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 EF 88 44 24 2B 88 44 24 2F B0 DC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 EF 88 44 24 2B 88 44 24 2F B0 DC 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.2cb0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2cb0000.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2cb0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2cb0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4071b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40837:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x408a1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40913:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3d66458.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3d66458.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3d66458.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3d66458.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8c6f9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f833:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8c76b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8c7f5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8c887:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8c8f1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8c963:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fac1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8c9f9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8ca89:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.291f0de.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.291f0de.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.291f0de.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.291f0de.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4071b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40837:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x408a1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40913:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.291ffc6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.291ffc6.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.291ffc6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.291ffc6.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dabd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcc1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3d66458.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3d66458.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3d66458.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3d66458.7.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dabd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcc1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3db3390.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3db3390.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3db3390.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3db3390.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dabd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcc1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.291f0de.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.291f0de.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.291f0de.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.291f0de.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e8a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e91b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e9a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ea37:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3eaa1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eb13:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eba9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ec39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3d65570.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3d65570.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3d65570.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3d65570.6.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e8a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e91b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e9a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ea37:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3eaa1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eb13:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eba9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ec39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3db3390.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3db3390.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3db3390.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3db3390.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f833:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fac1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f833:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fac1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.51a0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.51a0000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.51a0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.51a0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3d9c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3da33:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3dabd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3db4f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3dbb9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3dc2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3dcc1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3dd51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.2cb0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.2cb0000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2cb0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2cb0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3e8a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3e91b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3e9a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3ea37:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3eaa1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3eb13:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3eba9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3ec39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.291ffc6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.291ffc6.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.291ffc6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.291ffc6.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f833:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fac1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.3d65570.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.3d65570.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.3d65570.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.3d65570.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x406a9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x8d5e1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x4071b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x8d653:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x407a5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x8d6dd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x40837:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x8d76f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x408a1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x8d7d9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x40913:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x8d84b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x409a9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x8d8e1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x40a39:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x8d971:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.51a0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.51a0000.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.51a0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.51a0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f7c1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f833:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f8bd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f94f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f9b9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3fa2b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fac1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fb51:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 62 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 164.68.127.9, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6716, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.magna.com.pk", "Username": "atif@magna.com.pk", "Password": "Yil}b95u0Q2x"}

Multi AV Scanner detection for submitted file

Source: rnoahcrypter.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rnoahcrypter.exe

Joe Sandbox ML: detected

Source: rnoahcrypter.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rnoahcrypter.exe, 00000000.00000003.1646617473.0000000004130000.00000004.00001000.00020000.00000000.sdmp, rnoahcrypter.exe, 00000000.00000003.1644708088.00000000042D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rnoahcrypter.exe, 00000000.00000003.1646617473.0000000004130000.00000004.00001000.00020000.00000000.sdmp, rnoahcrypter.exe, 00000000.00000003.1644708088.00000000042D0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DE4696
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DEC9C7
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEC93C FindFirstFileW,FindClose,	0_2_00DEC93C
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF200
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF35D
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEF65E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3A2B
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3D4E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEBF27

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 164.68.127.9:587

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 164.68.127.9 164.68.127.9

Source: Joe Sandbox View

ASN Name: CONTABODE CONTABODE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 164.68.127.9:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DF25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DF25E2

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.magna.com.pk

Source: RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.co
Source: RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000001.00000002.2883572626.0000000000D82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886192748.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000001.00000002.2883572626.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000001.00000002.2884628166.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.magna.com.pk
Source: RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.c)
Source: RegSvcs.exe, 00000001.00000002.2883572626.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886192748.0000000005518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000001.00000002.2883572626.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, SKTzxzsJw.cs

.Net Code: XGy5GvtYh8

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00DF425A

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DF4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DF4458

Source: C:\Users\user\Desktop\rnoahcrypter.exe

0_2_00DF425A

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DE0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00DE0219

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00E0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E0CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rnoahcrypter.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1649642845.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.2883331990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D83B4C
Source: rnoahcrypter.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rnoahcrypter.exe, 00000000.00000000.1636234872.0000000000E35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ea802839-8
Source: rnoahcrypter.exe, 00000000.00000000.1636234872.0000000000E35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_7ac359db-b
Source: rnoahcrypter.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_edbd1890-5
Source: rnoahcrypter.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_13e6115f-f

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DE40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00DE40B1

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DD8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00DD8858

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DE545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DE545F

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D8E800	0_2_00D8E800
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DADBB5	0_2_00DADBB5
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00E0804A	0_2_00E0804A
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D8E060	0_2_00D8E060
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D94140	0_2_00D94140
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA2405	0_2_00DA2405
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DB6522	0_2_00DB6522
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00E00665	0_2_00E00665
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DB267E	0_2_00DB267E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D96843	0_2_00D96843
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA283A	0_2_00DA283A
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DB89DF	0_2_00DB89DF
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00E00AE2	0_2_00E00AE2
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DB6A94	0_2_00DB6A94
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D98A0E	0_2_00D98A0E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE8B13	0_2_00DE8B13
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DDEB07	0_2_00DDEB07
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DACD61	0_2_00DACD61
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DB7006	0_2_00DB7006
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D93190	0_2_00D93190
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D9710E	0_2_00D9710E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D81287	0_2_00D81287
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA33C7	0_2_00DA33C7
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAF419	0_2_00DAF419
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA16C4	0_2_00DA16C4
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D95680	0_2_00D95680
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA78D3	0_2_00DA78D3
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D958C0	0_2_00D958C0
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA1BB8	0_2_00DA1BB8
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DB9D05	0_2_00DB9D05
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D8FE40	0_2_00D8FE40
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA1FD0	0_2_00DA1FD0
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DABFE6	0_2_00DABFE6
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_01793600	0_2_01793600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040DC11	1_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00407C3F	1_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418CCC	1_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00406CA0	1_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004028B0	1_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041A4BE	1_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418244	1_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00401650	1_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402F20	1_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004193C4	1_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418788	1_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402F89	1_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402B90	1_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004073A0	1_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0283CE28	1_2_0283CE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0283DA40	1_2_0283DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02831298	1_2_02831298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02830FD0	1_2_02830FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02831030	1_2_02831030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0283D170	1_2_0283D170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061BBE98	1_2_061BBE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061BEF80	1_2_061BEF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061B6348	1_2_061B6348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061B9838	1_2_061B9838
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061BF6C8	1_2_061BF6C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061B0006	1_2_061B0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061B0040	1_2_061B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065D5228	1_2_065D5228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065DA1B8	1_2_065DA1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065D61A8	1_2_065D61A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065D1528	1_2_065D1528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065D83A8	1_2_065D83A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_061B9B20	1_2_061B9B20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: String function: 00DA8B40 appears 42 times
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: String function: 00DA0D27 appears 70 times
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: String function: 00D87F41 appears 35 times

Source: rnoahcrypter.exe, 00000000.00000003.1644563706.0000000004253000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rnoahcrypter.exe
Source: rnoahcrypter.exe, 00000000.00000003.1645928965.00000000043FD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rnoahcrypter.exe
Source: rnoahcrypter.exe, 00000000.00000002.1649642845.0000000003D40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefb0fccec-cbb5-401a-a814-9506b6d21701.exe4 vs rnoahcrypter.exe

Source: rnoahcrypter.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rnoahcrypter.exe.3d40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1649642845.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.2883331990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DEA2D5 GetLastError,FormatMessageW,

0_2_00DEA2D5

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DD8713 AdjustTokenPrivileges,CloseHandle,		0_2_00DD8713
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DD8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DD8CC3

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DEB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DEB59E

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DFF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DFF121

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DF86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00DF86D0

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00D84FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D84FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\rnoahcrypter.exe

File created: C:\Users\user\AppData\Local\Temp\aut21A8.tmp

Jump to behavior

Source: rnoahcrypter.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rnoahcrypter.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\rnoahcrypter.exe "C:\Users\user\Desktop\rnoahcrypter.exe"
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rnoahcrypter.exe"
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rnoahcrypter.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rnoahcrypter.exe

Static file information: File size 1174016 > 1048576

Source: rnoahcrypter.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rnoahcrypter.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rnoahcrypter.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rnoahcrypter.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rnoahcrypter.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rnoahcrypter.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rnoahcrypter.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: rnoahcrypter.exe, 00000000.00000003.1646617473.0000000004130000.00000004.00001000.00020000.00000000.sdmp, rnoahcrypter.exe, 00000000.00000003.1644708088.00000000042D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rnoahcrypter.exe, 00000000.00000003.1646617473.0000000004130000.00000004.00001000.00020000.00000000.sdmp, rnoahcrypter.exe, 00000000.00000003.1644708088.00000000042D0000.00000004.00001000.00020000.00000000.sdmp

Source: rnoahcrypter.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rnoahcrypter.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rnoahcrypter.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rnoahcrypter.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rnoahcrypter.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DFC304 LoadLibraryA,GetProcAddress,

0_2_00DFC304

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE8719 push FFFFFF8Bh; iretd	0_2_00DE871B
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAE94F push edi; ret	0_2_00DAE951
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAEA68 push esi; ret	0_2_00DAEA6A
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DA8B85 push ecx; ret	0_2_00DA8B98
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAEC43 push esi; ret	0_2_00DAEC45
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAED2C push edi; ret	0_2_00DAED2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C40C push cs; iretd	1_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00423149 push eax; ret	1_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C50E push cs; iretd	1_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004231C8 push eax; ret	1_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E21D push ecx; ret	1_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C6BE push ebx; ret	1_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040BB97 push dword ptr [ecx-75h]; iretd	1_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02834391 push ds; iretd	1_2_02834397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02834795 push cs; ret	1_2_02834799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0283475A push ebp; retf	1_2_02834760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_065D8397 push eax; retf	1_2_065D83A1

Source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'SFueaXQwQi0SD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'SFueaXQwQi0SD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'SFueaXQwQi0SD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'SFueaXQwQi0SD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'SFueaXQwQi0SD', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00D84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D84A35
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00E055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00E055FD

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DA33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DA33C7

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rnoahcrypter.exe

API/Special instruction interceptor: Address: 1793224

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

1_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4699			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1564			Jump to behavior

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99498

Source: C:\Users\user\Desktop\rnoahcrypter.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DE4696
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DEC9C7
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEC93C FindFirstFileW,FindClose,	0_2_00DEC93C
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF200
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF35D
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEF65E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3A2B
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3D4E
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEBF27

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00D84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D84AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97339	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rnoahcrypter.exe	API call chain: ExitProcess graph end node	graph_0-98097
Source: C:\Users\user\Desktop\rnoahcrypter.exe	API call chain: ExitProcess graph end node	graph_0-98272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DF41FD BlockInput,

0_2_00DF41FD

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00D83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D83B4C

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DB5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00DB5CCC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

1_2_004019F0

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DFC304 LoadLibraryA,GetProcAddress,

0_2_00DFC304

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_017934F0 mov eax, dword ptr fs:[00000030h]	0_2_017934F0
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_01793490 mov eax, dword ptr fs:[00000030h]	0_2_01793490
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_01791E70 mov eax, dword ptr fs:[00000030h]	0_2_01791E70

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DD81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00DD81F7

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DAA395
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DAA364 SetUnhandledExceptionFilter,	0_2_00DAA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004123F1 SetUnhandledExceptionFilter,	1_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 958008

Jump to behavior

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DD8C93 LogonUserW,

0_2_00DD8C93

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00D83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D83B4C

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00D84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D84A35

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DE4EC9 mouse_event,

0_2_00DE4EC9

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rnoahcrypter.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rnoahcrypter.exe

0_2_00DD81F7

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DE4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DE4C03

Source: rnoahcrypter.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rnoahcrypter.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DA886B cpuid

0_2_00DA886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

1_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DB50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DB50D7

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DC2230 GetUserNameW,

0_2_00DC2230

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00DB418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00DB418A

Source: C:\Users\user\Desktop\rnoahcrypter.exe

Code function: 0_2_00D84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D84AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: rnoahcrypter.exe	Binary or memory string: WIN_81
Source: rnoahcrypter.exe	Binary or memory string: WIN_XP
Source: rnoahcrypter.exe	Binary or memory string: WIN_XPe
Source: rnoahcrypter.exe	Binary or memory string: WIN_VISTA
Source: rnoahcrypter.exe	Binary or memory string: WIN_7
Source: rnoahcrypter.exe	Binary or memory string: WIN_8
Source: rnoahcrypter.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884628166.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d66458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291f0de.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3db3390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.291ffc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.3d65570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.51a0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DF6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DF6596
Source: C:\Users\user\Desktop\rnoahcrypter.exe	Code function: 0_2_00DF6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DF6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	148 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	121 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rnoahcrypter.exe	55%	ReversingLabs	Win32.Trojan.Strab
rnoahcrypter.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://mail.magna.com.pk	0%	Avira URL Cloud	safe
http://crl.co	0%	Avira URL Cloud	safe
http://ocsp.c)	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.magna.com.pk	164.68.127.9	true	true		unknown
api.ipify.org	104.26.13.205	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000001.00000002.2883572626.0000000000D03000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.magna.com.pk	RegSvcs.exe, 00000001.00000002.2884628166.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2884628166.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.c)	RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.co	RegSvcs.exe, 00000001.00000002.2886192748.00000000054ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
164.68.127.9	mail.magna.com.pk	Germany		51167	CONTABODE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467149
Start date and time:	2024-07-03 18:56:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rnoahcrypter.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 58 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rnoahcrypter.exe

Simulations

Behavior and APIs

Time	Type	Description
12:56:56	API Interceptor	31x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	Ransom.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ld.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	ArenaWarSetup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	E4sbo4F6Sz.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
164.68.127.9	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	493084369.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z1chima.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Purchase Order 0030520574.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Purchase Order 0030520574.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO-2024-05369.exe	Get hash	malicious	AgentTesla	Browse
	grace.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	vXykLXCs5d.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ET2431000075 & ET2431000076.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	noa.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	tgBNtoWqIp.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	19808bS58f.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.6737.3783.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	9691e6dc404680cc6648726c8d124a6d4fc637bb6b4a092661308012438623b2_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	0VcrCVxnMP.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	E48ALuMJ3m.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	MzjwuZnJF0.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	VG0x1LZCFb.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
mail.magna.com.pk	grace.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	164.68.127.9
mail.magna.com.pk	noa.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	164.68.127.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CONTABODE	https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3VfkDRZqOjfShPTiZjGkXYeHH0qcNkYwSSCzibjlmAzeTFQugAGktmmDcLaGVd7xmrhViuDlzvk7LSYra0CxW0GfjPradQJiCp1Lv1-2BJr8tU4uPUlMdZtOopAucgMUwgTsNkjDwJaQiHNbOIjuz9-2F3lablcjJiJu79900Z-2B-2BB-2F6jXyiW_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8pPuOyTauAJYwyhhj24yBhp7RMjj-2F0GEsPKyiUipvQjkQHl7wMea8EX-2BEwxs5CkLSgKbIS5ztD-2FRjTIduXCBnVT1QnOLd-2FvmyGT6B7reFiJd8Uxm5bV4XvIh0yb5H69DRSKW3EikbmS1X801NApBjBxNojnvbDZeuwCzdsxI3Q5aBPTHO4KAIPr3eArcRNMGEhsEzfjMMKf-2F6jodzrXKEkXK5P-2Fd4Xgx-2FJIzg1wpgwJNw-3D-3D#?email=c3BlbmNlci53dW5kZXJsZUBoc2Nwb2x5LmNvbQ==	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	173.249.54.85
	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	164.68.127.9
	ABSA NOTIFICATION(.......pdf	Get hash	malicious	HTMLPhisher	Browse	167.86.118.58
	CUfSSHbXry.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	Ak1kDlyIZ8.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	a6pLyc70Eg.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	oG1PQhYd2k.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	YUjTZrUbFo.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	FNB-Copy.pdf	Get hash	malicious	Unknown	Browse	167.86.118.58
	IF10339.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	5.189.162.96
CLOUDFLARENETUS	file.exe	Get hash	malicious	Clipboard Hijacker, PureLog Stealer, RisePro Stealer	Browse	104.26.4.15
	https://www-bbc-co-uk.cdn.ampproject.org/c/s/%41%4E%54oniopneus.com.br/dayo/uzmzp/captcha/amVubmlmZXIuYnJvY2t3YXlAZXhldGVyZmluYW5jZS5jb20=$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	104.21.45.251
	thegreatestexecutor.bat	Get hash	malicious	Unknown	Browse	104.16.123.96
	BL Draft.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://eplogisticademexico-my.sharepoint.com/personal/natalyar_eplogistics_com1/_layouts/15/guestaccess.aspx?e=5%3aIF7Pg7&at=9&share=ElyrWNLgmPNHoLatr5CK5xABy6AUzd-VUKQ5lFH-DHWgkA	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	thegreatestexecutor.bat	Get hash	malicious	Unknown	Browse	104.16.123.96

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	2cFFfHDG7D.msi	Get hash	malicious	AteraAgent	Browse	104.26.13.205
	thegreatestexecutor.bat	Get hash	malicious	Unknown	Browse	104.26.13.205
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	#Uc804#Uc790(#Uc138#Uae08)#Uacc4#Uc0b0#Uc11c 2024-06-20.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	Nichiden Viet Nam - Products List & Specification.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.26.13.205
	Purchase Order No.P7696#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	thegreatestexecutor.bat	Get hash	malicious	Unknown	Browse	104.26.13.205
	Products inquiryJULY ORDER2024.PDF.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.26.13.205
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	http://ferjex.com	Get hash	malicious	Unknown	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\rnoahcrypter.exe
File Type:	data
Category:	dropped
Size (bytes):	262828
Entropy (8bit):	7.974245811104698
Encrypted:	false
SSDEEP:	6144:D5KCBOTTkHESsHD4/4d4q7fw+ieeEj4I9kg5umDuvB2rwMaBBd9j:YZ/kHEPHD4G4qDw+ieefCGmDi2MMG7l
MD5:	29743812BB3A17BF707733D3A165B979
SHA1:	467905E746B562FE19E14C2115D3A1BBF16F8946
SHA-256:	BE91AAADAA8E1BD44CBD433CF16A8980677DE78157F1C9E7CC3EF170A6086D4A
SHA-512:	B5BDF4DEBFB37C80776A1103B3078BE5271EC2640E2BED0F61A472CD805C841E6CFD6839DB35145B424E1011FA7E7B3A76D488DAEA809C3519691170FBABB186
Malicious:	false
Reputation:	low
Preview:	EA06......x.....L.N).m/.aJ.P.........+S....!.p.....(..m^o...m..L+/..H.s........[D.wW.Ig.9../3....5.=v.....3L..@...T.wH..y2.RtS..#.4.X%.x@..E..g.....2.I.`...7&.Q..)...!L..p..1.L@........H......Y..T..v... .^.u..g4.5kC1.R..P.....@% .... E...@..;.R......0jGS...jf..J.V'3.U.G... ".`.........V.g..k..5..1.P.1.M.....{...4h...M..8.0.l..l.\. T..`..h)4j.....Nf..$.g8.....T...P.....W.P.....2.\..`....@Xj..t......>....d..%u@.....p+ ....a.............<.=....\|.~BYZ.\|$....2..H.L[K,.~.t<.W...`0_L&+-..a..j...A..&.+n.K9.Q.T:.f..l.<p..pa.:.....Q...f..J..d.i..-O.Gv.j..M.S..nF.-C.Bh.....o.....u.=A.q......;..<9....N9....{J..5....ON...\.s.J.p....2...B8....AK.r..Z-X..\|.}o.K...{...U.\|.<.$2....m..U....q.{..yr..aQ...@\|.."..]3....+.gw...yu....L..T\$....o........../.....%X[..cS..0...3.F;_..G...^..\......s~d..(..&u=...R...J.N.L.R8.I..E...Sy.Ce..Z5.....^..=.Y?~....(....oJ.U.;.-.A.J...\|R/..ggx:.0....U./....O......t...j.aT.[..+y..]9..Ejo...3W.oi.\yY.].OH.v..X.'...P:TJp..Y.

C:\Users\user\AppData\Local\Temp\aut2216.tmp

Download File

Process:	C:\Users\user\Desktop\rnoahcrypter.exe
File Type:	data
Category:	dropped
Size (bytes):	9826
Entropy (8bit):	7.604907148616853
Encrypted:	false
SSDEEP:	192:65jwEiq2KWeTY6Vi+7MX9O1JZNO3yLyD416WBAonrXmAO6hKw0bP6/y:I6qTRPI9ObSCGD413BAonDmA7AP6/y
MD5:	7912CF121C861157DE643587A651AFC9
SHA1:	BA8C78CC2670BD8F20AC1C08A24632045504EFB8
SHA-256:	4714357C28D36DE5CF17BF559505662DD5068D6843EB309E694B506B6BDDF897
SHA-512:	4E85B40E40C812D7647CD63A643E0CD07C49AFBBF7A83ACCD0F1738B1B004EE71C3109E2BE229F82A0527E5990959C28784AAB5259DFF0D74074447852878AD8
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\derogates

Download File

Process:	C:\Users\user\Desktop\rnoahcrypter.exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.8935008726238705
Encrypted:	false
SSDEEP:	6144:1gQTbvsePET7MXDFI2EUD99i7tgBNZw7TvF/TmHXQ:1gQEePEvMXpF3IgLZAz
MD5:	36C8CE98C85B7938C585635CDDC68915
SHA1:	0D685706A88641C7FE1776DE96CE9974EFF7820A
SHA-256:	1B3C2128FCA0A6A5592AA53EBD3D62D42D59AC687F008D709B9D09E57BAA5181
SHA-512:	0D4D9BBBEA89190C33B1527C9C3396B4F5CB2D92AC74408EDB08A205F4A6D903409418ACD5EA609AC85F2D690A57206717872EE81D1DA6A034B3C1E09AF6BE90
Malicious:	false
Reputation:	low
Preview:	...Y4AVLJ8HF..0J.CWY7AVL.8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HF.90JD\.W7._.o.I...d"#0w)E.1>/Uh%;W^%>c5<.3#"nQ&f.vcj',3<.L[Fj8HFZ90J"S.t.0.2bI.8vH.4x`('.0.2E..8qH.4f2.'k0.2\|.&8FH.4x`>'.0.2\|.38wH.4.41.0.2N8HFZ90JJCWY7AVL... Z90J..WY{@RL:.H.Z90JJCWY.AuME9AFZ.1JJ?UY7AVLa.HFZ)0JJ.VY7A.LN(HFZ;0JOCWY7AVLK8HFZ90JJ#SY7EVL..JFX90.JCGY7QVLN8XFZ)0JJCWY'AVLN8HFZ90J.VUYgAVLNXJFf.1JJCWY7AVLN8HFZ90JJCWY7AVL..IFF90JJCWY7AVLN8HFZ90JJCWY7AVL.5JF.90JJCWY7AVLN.IF.80JJCWY7AVLN8HFZ90JJCWY7AVL`L->.90JR.VY7QVLN.IFZ=0JJCWY7AVLN8HFz90d138C VL.UHFZ.1JJ-WY7.WLN8HFZ90JJCWYwAV.`\)2;90J.sWY7aTLN.HFZ32JJCWY7AVLN8HF.90.d1$+TAVLr.IFZY2JJ.VY7aTLN8HFZ90JJCWYwAV.N8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVLN8HFZ90JJCWY7AVL

C:\Users\user\AppData\Local\Temp\nonplacental

Download File

Process:	C:\Users\user\Desktop\rnoahcrypter.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.589117064015916
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbA+IL26cz24vfF3if6gJ:miTZ+2QoioGRk6ZklputwjpjBkCiw2RM
MD5:	9620C6BB5A31264C0D20D9E8C117A97C
SHA1:	B48CE3EF94F1A7605AA9BDC3E08D4A9F678FFD03
SHA-256:	D61683FB741CDFAC0E3272FB2FE80881E1F45E86D19288F41FF9469D9A1ADF1D
SHA-512:	004EFFEC44089494A5BF19B533C40CAB49A653BE91395077E7B0418906377A37452EE9EDA99D595115168C7FD447CCCCD31FC7A5ED500B4874FB45A08CAFDF1E
Malicious:	false
Reputation:	low
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.124385383053115
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rnoahcrypter.exe
File size:	1'174'016 bytes
MD5:	d560a00761c873c47778db0e4501b93e
SHA1:	c8032767d547373b2d4c56045eaebb831d49fc3a
SHA256:	e0b2a21d46eaafd76da52888f1fbbca89592301d69cf9cfe6be58992aa021f9a
SHA512:	c72a0d4ce42d6290134d26627a02dafcd7f79f79e036ae975381d2d5c68f5897331b1e44a65487b9f0c27d7531828d60aeefc47d9a5ee607f559e680307824a5
SSDEEP:	24576:zAHnh+eWsN3skA4RV1Hom2KXMmHa1ATE0kX+G7uEEbuyX5:+h+ZkldoPK8Ya1Aot+GCE2
TLSH:	5945AE0273D1C036FFAB92739B6AF60596BC79254133852F13981DB9BC701B2267E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66848A52 [Tue Jul 2 23:16:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1DCCE2376Dh
jmp 00007F1DCCE16524h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1DCCE166AAh
cmp edi, eax
jc 00007F1DCCE16A0Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F1DCCE166A9h
rep movsb
jmp 00007F1DCCE169BCh
cmp ecx, 00000080h
jc 00007F1DCCE16874h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1DCCE166B0h
bt dword ptr [004BF324h], 01h
jc 00007F1DCCE16B80h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F1DCCE1684Dh
test edi, 00000003h
jne 00007F1DCCE1685Eh
test esi, 00000003h
jne 00007F1DCCE1683Dh
bt edi, 02h
jnc 00007F1DCCE166AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1DCCE166B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1DCCE16705h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x543a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11d000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x543a0	0x54400	c1cb8512fa29a3813571e75efddf800b	False	0.9223415476632048	data	7.882057645680776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11d000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x4b668	data			1.000327030177438
RT_GROUP_ICON	0x11be20	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11be98	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11beac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11bec0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11bed4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11bfb0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 18:56:56.108055115 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.108115911 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.108253956 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.118267059 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.118305922 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.583333969 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.583426952 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.588349104 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.588382959 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.588628054 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.628093004 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.652510881 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.696523905 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.758966923 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.759047031 CEST	443	49730	104.26.13.205	192.168.2.4
Jul 3, 2024 18:56:56.759102106 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:56.769486904 CEST	49730	443	192.168.2.4	104.26.13.205
Jul 3, 2024 18:56:57.393599987 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:57.398454905 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:57.398562908 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.222858906 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.223607063 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.228447914 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.418308020 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.418754101 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.423679113 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.612956047 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.613553047 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.618676901 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.818248987 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.818269014 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.818279028 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.818306923 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.818388939 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.818439960 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.905751944 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:58.931982040 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:58.937011003 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.141724110 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.144733906 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:59.149545908 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.336982012 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.337965965 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:59.342788935 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.531613111 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.532130957 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:59.537055016 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.742238045 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.742594004 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:59.747590065 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.934902906 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:56:59.935125113 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:56:59.939892054 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.193748951 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.193945885 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:57:00.198749065 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.386250019 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.386879921 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:57:00.386960983 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:57:00.386984110 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:57:00.387011051 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:57:00.391607046 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.391921997 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.391980886 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.391989946 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.858393908 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.895488024 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:57:00.895556927 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:58:37.346297026 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 3, 2024 18:58:37.351397038 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:58:37.540601969 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 3, 2024 18:58:37.542212009 CEST	49731	587	192.168.2.4	164.68.127.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 18:56:56.088139057 CEST	58768	53	192.168.2.4	1.1.1.1
Jul 3, 2024 18:56:56.095319033 CEST	53	58768	1.1.1.1	192.168.2.4
Jul 3, 2024 18:56:57.326014042 CEST	58868	53	192.168.2.4	1.1.1.1
Jul 3, 2024 18:56:57.392205954 CEST	53	58868	1.1.1.1	192.168.2.4
Jul 3, 2024 18:57:16.588733912 CEST	53	53218	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 18:56:56.088139057 CEST	192.168.2.4	1.1.1.1	0x6e76	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 3, 2024 18:56:57.326014042 CEST	192.168.2.4	1.1.1.1	0xfa2c	Standard query (0)	mail.magna.com.pk	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 18:56:56.095319033 CEST	1.1.1.1	192.168.2.4	0x6e76	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 18:56:56.095319033 CEST	1.1.1.1	192.168.2.4	0x6e76	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 3, 2024 18:56:56.095319033 CEST	1.1.1.1	192.168.2.4	0x6e76	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 3, 2024 18:56:57.392205954 CEST	1.1.1.1	192.168.2.4	0xfa2c	No error (0)	mail.magna.com.pk	164.68.127.9	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.26.13.205	443	6716	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 16:56:56 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-03 16:56:56 UTC	211	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 16:56:56 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89d8696a6ef04322-EWR
2024-07-03 16:56:56 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 3, 2024 18:56:58.222858906 CEST	587	49731	164.68.127.9	192.168.2.4	220-hosting.magna-group.com ESMTP Exim 4.96.2 #2 Wed, 03 Jul 2024 21:56:58 +0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 3, 2024 18:56:58.223607063 CEST	49731	587	192.168.2.4	164.68.127.9	EHLO 114127
Jul 3, 2024 18:56:58.418308020 CEST	587	49731	164.68.127.9	192.168.2.4	250-hosting.magna-group.com Hello 114127 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 3, 2024 18:56:58.418754101 CEST	49731	587	192.168.2.4	164.68.127.9	STARTTLS
Jul 3, 2024 18:56:58.612956047 CEST	587	49731	164.68.127.9	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	12:56:53
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\rnoahcrypter.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rnoahcrypter.exe"
Imagebase:	0xd80000
File size:	1'174'016 bytes
MD5 hash:	D560A00761C873C47778DB0E4501B93E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1649642845.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:56:54
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rnoahcrypter.exe"
Imagebase:	0x6d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.2883331990.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884628166.0000000002DDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.2884418463.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2885712904.0000000003D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884628166.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.2885963637.00000000051A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884628166.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2884284131.00000000028DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884628166.0000000002DF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	168

Executed Functions

Function 00D83B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D83B7A
IsDebuggerPresent.KERNEL32 ref: 00D83B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E462F8,00E462E0,?,?), ref: 00D83BFD

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

Part of subcall function 00D90A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D83C26,00E462F8,?,?,?), ref: 00D90ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00D83C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E393F0,00000010), ref: 00DBD4BC
SetCurrentDirectoryW.KERNEL32(?,00E462F8,?,?,?), ref: 00DBD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E35D40,00E462F8,?,?,?), ref: 00DBD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00DBD581

Part of subcall function 00D83A58: GetSysColorBrush.USER32(0000000F), ref: 00D83A62
Part of subcall function 00D83A58: LoadCursorW.USER32(00000000,00007F00), ref: 00D83A71
Part of subcall function 00D83A58: LoadIconW.USER32(00000063), ref: 00D83A88
Part of subcall function 00D83A58: LoadIconW.USER32(000000A4), ref: 00D83A9A
Part of subcall function 00D83A58: LoadIconW.USER32(000000A2), ref: 00D83AAC
Part of subcall function 00D83A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D83AD2
Part of subcall function 00D83A58: RegisterClassExW.USER32(?), ref: 00D83B28

Part of subcall function 00D839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D83A15
Part of subcall function 00D839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D83A36
Part of subcall function 00D839E7: ShowWindow.USER32(00000000,?,?), ref: 00D83A4A
Part of subcall function 00D839E7: ShowWindow.USER32(00000000,?,?), ref: 00D83A53

Part of subcall function 00D843DB: _memset.LIBCMT ref: 00D84401
Part of subcall function 00D843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D844A6

Strings

%, xrefs: 00D83C56
This is a third-party compiled AutoIt script., xrefs: 00DBD4B4
runas, xrefs: 00DBD575

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: 2a54c12ba9aca5e101c9cfbeb2fcb7fee79282d79a635492b4a9b1d54cc99877
Instruction ID: d14c8e4c061ff07abbb25460b3e33ca3adbd903a8a49fd01813a1a4bf40b7443
Opcode Fuzzy Hash: 2a54c12ba9aca5e101c9cfbeb2fcb7fee79282d79a635492b4a9b1d54cc99877
Instruction Fuzzy Hash: 3851F474A04249BFCF11BBB5EC06EED7B79EB46B00F044065F455721A2DAB08A4ACB36

Function 00D84AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00D84B2B

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

GetCurrentProcess.KERNEL32(?,00E0FAEC,00000000,00000000,?), ref: 00D84BF8
IsWow64Process.KERNEL32(00000000), ref: 00D84BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D84C45
FreeLibrary.KERNEL32(00000000), ref: 00D84C50
GetSystemInfo.KERNEL32(00000000), ref: 00D84C81
GetSystemInfo.KERNEL32(00000000), ref: 00D84C8D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: f8ffef360665d1b5fb11ceda9885954079f759660d38b3f998c18702c2aa66d0
Instruction ID: 3d24a183c37478db6e175f7a40541927412ccf658b29ce4d3e6dd388efb30e05
Opcode Fuzzy Hash: f8ffef360665d1b5fb11ceda9885954079f759660d38b3f998c18702c2aa66d0
Instruction Fuzzy Hash: FD91C33154ABC1DEC731EB6884515AAFFE5AF2A300B584D9EE0CB93A41D234F948C779

Function 00D84FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D84EEE,?,?,00000000,00000000), ref: 00D84FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D84EEE,?,?,00000000,00000000), ref: 00D85010
LoadResource.KERNEL32(?,00000000,?,?,00D84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D84F8F), ref: 00DBDD60
SizeofResource.KERNEL32(?,00000000,?,?,00D84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D84F8F), ref: 00DBDD75
LockResource.KERNEL32(00D84EEE,?,?,00D84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D84F8F,00000000), ref: 00DBDD88

Strings

SCRIPT, xrefs: 00D85006

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8dcb61718278797602660b5f66be9624af4f9b77c343b42e9542615749ab931a
Instruction ID: 0230329b93db7167e74a988a21528d34a1ea8da5092c2504391bcddd0fc62808
Opcode Fuzzy Hash: 8dcb61718278797602660b5f66be9624af4f9b77c343b42e9542615749ab931a
Instruction Fuzzy Hash: 5A119A74200700AFD7319B66EC48F677BBDEBC9B12F248168F406A6660DB62E8448670

Function 00D8E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt, xrefs: 00DC3F1F
Dt, xrefs: 00D8EC1A
Dt, xrefs: 00D8EC21
Dt, xrefs: 00DC3F58
Variable must be of type 'Object'., xrefs: 00DC428C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: cfb175efda899a4c56b191ae846ad97acbd379c658c14d96f4ebc605fbd2ecc5
Instruction ID: ecf5fed3d2fb038ddd977dd4641aaac48d8bd8fc15a7fe07c716d6a8df2ab3a0
Opcode Fuzzy Hash: cfb175efda899a4c56b191ae846ad97acbd379c658c14d96f4ebc605fbd2ecc5
Instruction Fuzzy Hash: 7BA29D74A04216CFCB24EF58C480AAEB7B1FF49314F288069E956AB351D771ED46CFA1

Function 00DE4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00DBE7C1), ref: 00DE46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00DE46B7
FindClose.KERNEL32(00000000), ref: 00DE46C7

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c550376bf1ec393e32d7ada2dfa5a6002d6c66ae36d8c200921f115ac0e99c8a
Instruction ID: 2a20bd2ff03429a26bcf822690d690ba3ac1f85a323c3ba469a51f9805074c9e
Opcode Fuzzy Hash: c550376bf1ec393e32d7ada2dfa5a6002d6c66ae36d8c200921f115ac0e99c8a
Instruction Fuzzy Hash: 2EE0D8314104005F8220B779EC4D4EA775C9F06335F100719F935D14F0E7B0A9A485A5

Function 00D90B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D90BBB
timeGetTime.WINMM ref: 00D90E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D90FB3
TranslateMessage.USER32(?), ref: 00D90FC7
DispatchMessageW.USER32(?), ref: 00D90FD5
Sleep.KERNEL32(0000000A), ref: 00D90FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00D9105A
DestroyWindow.USER32 ref: 00D91066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D91080
Sleep.KERNEL32(0000000A,?,?), ref: 00DC52AD
TranslateMessage.USER32(?), ref: 00DC608A
DispatchMessageW.USER32(?), ref: 00DC6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DC60AC

Strings

pr, xrefs: 00DC5BDE
@GUI_CTRLHANDLE, xrefs: 00DC540E
@GUI_CTRLID, xrefs: 00DC5364
@COM_EVENTOBJ, xrefs: 00DC591A
pr, xrefs: 00DC542D
@TRAY_ID, xrefs: 00DC5BB9
pr, xrefs: 00DC5383
@GUI_WINHANDLE, xrefs: 00DC53B9
pr, xrefs: 00DC53D8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 9c50bebe631fbdf08b606249feee21909e16d8d215b739ed6889acfbbf994caa
Instruction ID: 84d1732fccbb24676cc8c9add9953e28eb23043bc794831b46f9348ca161bb0e
Opcode Fuzzy Hash: 9c50bebe631fbdf08b606249feee21909e16d8d215b739ed6889acfbbf994caa
Instruction Fuzzy Hash: 08B29F706087429FDB24DF24D884F6ABBE4FF85304F18491DE49A97291DB71E885CBB2

Function 00DE93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DE91E9: __time64.LIBCMT ref: 00DE91F3

Part of subcall function 00D85045: _fseek.LIBCMT ref: 00D8505D

__wsplitpath.LIBCMT ref: 00DE94BE

Part of subcall function 00DA432E: __wsplitpath_helper.LIBCMT ref: 00DA436E

_wcscpy.LIBCMT ref: 00DE94D1
_wcscat.LIBCMT ref: 00DE94E4
__wsplitpath.LIBCMT ref: 00DE9509
_wcscat.LIBCMT ref: 00DE951F
_wcscat.LIBCMT ref: 00DE9532

Part of subcall function 00DE922F: _memmove.LIBCMT ref: 00DE9268
Part of subcall function 00DE922F: _memmove.LIBCMT ref: 00DE9277

_wcscmp.LIBCMT ref: 00DE9479

Part of subcall function 00DE99BE: _wcscmp.LIBCMT ref: 00DE9AAE
Part of subcall function 00DE99BE: _wcscmp.LIBCMT ref: 00DE9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DE96DC
_wcsncpy.LIBCMT ref: 00DE974F
DeleteFileW.KERNEL32(?,?), ref: 00DE9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DE979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DE97BE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b5870d5a77261230786c483afd19dfe7da46b8d99ef9136b315cb580d9ff789b
Instruction ID: 1485999b8a321fa0ed7af761a13f1f18dc214acca6c560de5fa084d5007212d9
Opcode Fuzzy Hash: b5870d5a77261230786c483afd19dfe7da46b8d99ef9136b315cb580d9ff789b
Instruction Fuzzy Hash: E9C13BB1D01219AECF21EF95CC95ADEB7BDEF45300F0040AAF609E6151EB709A848F75

Function 00D83015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D83074
RegisterClassExW.USER32(00000030), ref: 00D8309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D830AF
InitCommonControlsEx.COMCTL32(?), ref: 00D830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D830DC
LoadIconW.USER32(000000A9), ref: 00D830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D83101

Strings

+, xrefs: 00D8305D
0, xrefs: 00D83056
AutoIt v3 GUI, xrefs: 00D83090
TaskbarCreated, xrefs: 00D830A4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 312b9cb34c4903256f81b397892b51128bb259ecea602157408058c02893797e
Instruction ID: a1164237814ae2c79d4c48538de427dccb3b3aaf1901796e439b4889c37ac5cb
Opcode Fuzzy Hash: 312b9cb34c4903256f81b397892b51128bb259ecea602157408058c02893797e
Instruction Fuzzy Hash: 7C3167B5841309EFDB50CFA5E885AC9BBF0FB0A310F14452AE540F62A0D3B6059ACF92

Function 00D83041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D83074
RegisterClassExW.USER32(00000030), ref: 00D8309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D830AF
InitCommonControlsEx.COMCTL32(?), ref: 00D830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D830DC
LoadIconW.USER32(000000A9), ref: 00D830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D83101

Strings

+, xrefs: 00D8305D
0, xrefs: 00D83056
AutoIt v3 GUI, xrefs: 00D83090
TaskbarCreated, xrefs: 00D830A4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 38004fc0fe59912d283879138dec3119a50083eac2cd68da5bccaf2c797ad975
Instruction ID: 2532cb0650f210f0928569b247ac22cd7d9a1cb151f794cd7cd3e8d2b983a19d
Opcode Fuzzy Hash: 38004fc0fe59912d283879138dec3119a50083eac2cd68da5bccaf2c797ad975
Instruction Fuzzy Hash: 5921C7B5910318AFDB10DFA6EC49B9DBBF4FB0E700F00412AF510B62A0D7B245998F96

Function 00D871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D84864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E462F8,?,00D837C0,?), ref: 00D84882

Part of subcall function 00DA074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D872C5), ref: 00DA0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D87308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00DBECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00DBED32
RegCloseKey.ADVAPI32(?), ref: 00DBED70
_wcscat.LIBCMT ref: 00DBEDC9

Strings

Include, xrefs: 00DBECE8, 00DBED29
\Include\, xrefs: 00D872C5
Software\AutoIt v3\AutoIt, xrefs: 00D872FE
\, xrefs: 00DBEDEC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: f9ae5cbf7947b3854fec45ef2df5a6ea3a2b6fc1ee99993eecc1fdf0b000d898
Instruction ID: 9f3d13327c7ae035f6a60a149a3946b130bda5e6abbec6e70e61e895d9b04de3
Opcode Fuzzy Hash: f9ae5cbf7947b3854fec45ef2df5a6ea3a2b6fc1ee99993eecc1fdf0b000d898
Instruction Fuzzy Hash: 8F714BB55083019EC314EF66EC8189BBBE8FF96740B54492EF485A31B0DBB0D949CBB5

Function 00D83633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00D836D2
KillTimer.USER32(?,00000001), ref: 00D836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D8371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D8372A
CreatePopupMenu.USER32 ref: 00D8373E
PostQuitMessage.USER32(00000000), ref: 00D8375F

Strings

%, xrefs: 00DBD2D1, 00DBD31F
TaskbarCreated, xrefs: 00D83725

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: cfdece07f2c2de9d70a7e4de35002f2481c5d1dc5ea3766c4066017d2d4cd209
Instruction ID: 36f43697a543dc317404eb44463679e0ac005d74993cae13333d64ff2101141a
Opcode Fuzzy Hash: cfdece07f2c2de9d70a7e4de35002f2481c5d1dc5ea3766c4066017d2d4cd209
Instruction Fuzzy Hash: 3E4167B1200105BFDF247F6CEC0ABBD3755EB06B00F180529F506A22B1EAA1DE599373

Function 00D83A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D83A62
LoadCursorW.USER32(00000000,00007F00), ref: 00D83A71
LoadIconW.USER32(00000063), ref: 00D83A88
LoadIconW.USER32(000000A4), ref: 00D83A9A
LoadIconW.USER32(000000A2), ref: 00D83AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D83AD2
RegisterClassExW.USER32(?), ref: 00D83B28

Part of subcall function 00D83041: GetSysColorBrush.USER32(0000000F), ref: 00D83074
Part of subcall function 00D83041: RegisterClassExW.USER32(00000030), ref: 00D8309E
Part of subcall function 00D83041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D830AF
Part of subcall function 00D83041: InitCommonControlsEx.COMCTL32(?), ref: 00D830CC
Part of subcall function 00D83041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D830DC
Part of subcall function 00D83041: LoadIconW.USER32(000000A9), ref: 00D830F2
Part of subcall function 00D83041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D83101

Strings

0, xrefs: 00D83B06
#, xrefs: 00D83B0D
AutoIt v3, xrefs: 00D83B17

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e6306e039d16ed2900f28d63082b4a2360d15d49496c1b54e6f9028faecd4b7e
Instruction ID: 536dfc6bb05959a96239d9fcef0bd7a806faa718f177f2abcd7f1c5ed0a2e3d6
Opcode Fuzzy Hash: e6306e039d16ed2900f28d63082b4a2360d15d49496c1b54e6f9028faecd4b7e
Instruction Fuzzy Hash: 28214B74910304BFEB109FA6EC09B9D7BB4FB0A711F00012AF504BA2B0D3F656598F9A

Function 00D83778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 00D8388F
CMDLINERAW, xrefs: 00D8380D
b, xrefs: 00DBD44E
CMDLINE, xrefs: 00D83834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00D837C0
/AutoIt3OutputDebug, xrefs: 00D838A4
/AutoIt3ExecuteLine, xrefs: 00D838B9
/AutoIt3ExecuteScript, xrefs: 00D838CE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 8ad79611a32b5ab28f48c3f3ee4dba99796867a919bb518d3b716611d62c36cb
Instruction ID: 213dc3e4dbb5b4060fd8857dd8c880e55f0fe3c5b8c25e5944b60de4078acbe0
Opcode Fuzzy Hash: 8ad79611a32b5ab28f48c3f3ee4dba99796867a919bb518d3b716611d62c36cb
Instruction Fuzzy Hash: 33A15A71910229AACB04FBA0DC96AEEB7B8FF15700F540529F416B7191EF74AA09CB70

Function 00D8F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DA03D3
Part of subcall function 00DA03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DA03DB
Part of subcall function 00DA03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DA03E6
Part of subcall function 00DA03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DA03F1
Part of subcall function 00DA03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DA03F9
Part of subcall function 00DA03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DA0401

Part of subcall function 00D96259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00D8FA90), ref: 00D962B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D8FB2D
OleInitialize.OLE32(00000000), ref: 00D8FBAA
CloseHandle.KERNEL32(00000000), ref: 00DC49F2

Strings

%, xrefs: 00D8F8F6, 00D8F908, 00D8FACE, 00D8FBB1
\d, xrefs: 00D8F957
<g, xrefs: 00D8FA90
c, xrefs: 00D8F94B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g$\d$%$c
API String ID: 1986988660-619945097
Opcode ID: bd5d68f8a484445f0447e80ab997623ee353999403d61ea309721be417e9eeae
Instruction ID: 07b74efa91398ed05fc9a91cbc9926b06ffbcdba54b256ee95f8d5ab912bb677
Opcode Fuzzy Hash: bd5d68f8a484445f0447e80ab997623ee353999403d61ea309721be417e9eeae
Instruction Fuzzy Hash: 0681BCB89013908FCB84EF2BE9556557AF4FB8B718310952AD028E7262EB35544ECF23

Function 017925E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017926B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017928D7

Memory Dump Source

Source File: 00000000.00000002.1649037406.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1790000_rnoahcrypter.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction ID: cdec883a574434dcf9985dbaaf03a2c8700b9495384f3918b244775ef4e8b50d
Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
Instruction Fuzzy Hash: 40A10774E40209EBDF14DFA4D894BEEFBB5BF48304F208199E601BB281D7759A45CB94

Function 00D839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D83A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D83A36
ShowWindow.USER32(00000000,?,?), ref: 00D83A4A
ShowWindow.USER32(00000000,?,?), ref: 00D83A53

Strings

edit, xrefs: 00D83A30
AutoIt v3, xrefs: 00D83A0D, 00D83A12, 00D83A13

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 05ecdbadfcfb1caec493bb879710a1b5fdffbc01154538e9b744a5ef32107765
Instruction ID: 245e09ec93fbbee8eb74878848257ad957afb9c625df67437d8dc99f84652500
Opcode Fuzzy Hash: 05ecdbadfcfb1caec493bb879710a1b5fdffbc01154538e9b744a5ef32107765
Instruction Fuzzy Hash: B1F03A746402907EEB3117276C09E273E7DE7C7F50B00002AF900B65B0C2E60856CAB6

Function 017923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017922A0: Sleep.KERNELBASE(000001F4), ref: 017922B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017924D1

Strings

JCWY7AVLN8HFZ90J, xrefs: 01792534, 01792537

Memory Dump Source

Source File: 00000000.00000002.1649037406.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1790000_rnoahcrypter.jbxd

Similarity

API ID: CreateFileSleep
String ID: JCWY7AVLN8HFZ90J
API String ID: 2694422964-2408899677
Opcode ID: 06c50ba5e11a050021f67a187c2f35ab2d39bd835f6f67d805af968a1c79a994
Instruction ID: 63b3e6ec1b119e72ea07423a6d69f5b000f5754cc59c71f6772c49b5afd919af
Opcode Fuzzy Hash: 06c50ba5e11a050021f67a187c2f35ab2d39bd835f6f67d805af968a1c79a994
Instruction Fuzzy Hash: 89519230D14259EBEF15DBE4D818BEEBB79AF18300F108199E209BB2C1D7791B49CB65

Function 00D8410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00DBD5EC

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

_memset.LIBCMT ref: 00D8418D
_wcscpy.LIBCMT ref: 00D841E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D841F1

Strings

Line: , xrefs: 00DBD615

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f5be5a9dc572e095aefbd9db08b9a77b44ffedf7ff5a135f8a1056f625439908
Instruction ID: 91dbc5c49933d1c8467676ee6603f3863262ef79b368ec1d53143608f15d4c63
Opcode Fuzzy Hash: f5be5a9dc572e095aefbd9db08b9a77b44ffedf7ff5a135f8a1056f625439908
Instruction Fuzzy Hash: 4F31B371408305AED721FB60DC46FDB77E8AF56300F14451AF195A20A1EBB4A649C7B7

Function 00DA564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA56AB
_memcpy_s.LIBCMT ref: 00DA571D
__read_nolock.LIBCMT ref: 00DA577B
__filbuf.LIBCMT ref: 00DA579E
_memset.LIBCMT ref: 00DA57E2

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 82352c44999f3739858fab4241f9f55bfa085a532732d75066912a11f6e2d727
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 7951C631A00B05DFDB248F79E88066E77A1EF42320F688729F825A62D8D770DD549B70

Function 00D869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00D84F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84F6F

_free.LIBCMT ref: 00DBE68C
_free.LIBCMT ref: 00DBE6D3

Part of subcall function 00D86BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D86D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00DBE462
Bad directive syntax error, xrefs: 00DBE6BB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d59d4dd7844887952b166bfd29f1412c482cce8ccadf771afe0b2ee3346c6e5c
Instruction ID: 34e1157855e4e600060cd333af309e55cc5f300f4840a073bdaefd2d09563e4c
Opcode Fuzzy Hash: d59d4dd7844887952b166bfd29f1412c482cce8ccadf771afe0b2ee3346c6e5c
Instruction Fuzzy Hash: 58913971910219EFCF14EFA5C8919EDB7B4FF19314F14446AE816AB291EB30E945CB70

Function 00D835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D835A1,SwapMouseButtons,00000004,?), ref: 00D835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D835A1,SwapMouseButtons,00000004,?,?,?,?,00D82754), ref: 00D835F5
RegCloseKey.KERNELBASE(00000000,?,?,00D835A1,SwapMouseButtons,00000004,?,?,?,?,00D82754), ref: 00D83617

Strings

Control Panel\Mouse, xrefs: 00D835D2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 66ec829f83683b96c3760986ef05a27fee8ebe7be1d1733976cd6af453c94dc2
Instruction ID: 520c6293cb76893ebb1b06f06164b9a1add41bfa99ac1f42579169c340c2b240
Opcode Fuzzy Hash: 66ec829f83683b96c3760986ef05a27fee8ebe7be1d1733976cd6af453c94dc2
Instruction Fuzzy Hash: 23115A71510208BFDB209F69DC41DAEB7BCEF04B40F008469F809E7210E2719F549770

Function 017912A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01791ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01791AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01791B13

Memory Dump Source

Source File: 00000000.00000002.1649037406.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1790000_rnoahcrypter.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction ID: 4d9e6c689086589d299c15557b044bab8db4b913ee0ffeb7c3f283b51acb0407
Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
Instruction Fuzzy Hash: B6624B30A14259DBEB24CFA4D840BDEB372EF58300F5091A9D20DEB394E7799E85CB59

Function 00DE97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00D85045: _fseek.LIBCMT ref: 00D8505D

Part of subcall function 00DE99BE: _wcscmp.LIBCMT ref: 00DE9AAE
Part of subcall function 00DE99BE: _wcscmp.LIBCMT ref: 00DE9AC1

_free.LIBCMT ref: 00DE992C
_free.LIBCMT ref: 00DE9933
_free.LIBCMT ref: 00DE999E

Part of subcall function 00DA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA9C64), ref: 00DA2FA9
Part of subcall function 00DA2F95: GetLastError.KERNEL32(00000000,?,00DA9C64), ref: 00DA2FBB

_free.LIBCMT ref: 00DE99A6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: b5caa1b31fd912679425b1d6622bd4a3248420e5ccaee9aa6a1e328d458fe431
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 2A5151B1904258AFDF249F65DC81A9EBBB9EF48310F14049EB649A7241DB715D80CF78

Function 00DA493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DA49D0
__flush.LIBCMT ref: 00DA49F0
__write.LIBCMT ref: 00DA4A23
__flsbuf.LIBCMT ref: 00DA4A51

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 7dd3f3a3d592900d5a74daf1e8699e2d1cc276906c9c1d3b89081b22622dc3bd
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 6041C2756007069BDF288FA9C8809AF77A6EFC6364B28813DE855C7680E7B0DD508B74

Function 00D84DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D84E1A

Strings

AU3!P/, xrefs: 00D84E14
EA06, xrefs: 00DBDCF5

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: ba3420d03f0887ca818dd511ced54a4dd7dedc2852cc64e76db9d2ea8a5992cd
Instruction ID: 7aa182c03fe7c379396262c54b96fb230e46efb1d76ce5abc96b41b4d4f14dc0
Opcode Fuzzy Hash: ba3420d03f0887ca818dd511ced54a4dd7dedc2852cc64e76db9d2ea8a5992cd
Instruction Fuzzy Hash: 4C415B62A04659ABCF22BB64D8517BE7FA6EF05300F2C4065FD82AB286D6218D4483B1

Function 00D873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DBEE62
GetOpenFileNameW.COMDLG32(?), ref: 00DBEEAC

Part of subcall function 00D848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D848A1,?,?,00D837C0,?), ref: 00D848CE

Part of subcall function 00DA09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DA09F4

Strings

X, xrefs: 00DBEE7A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 38bdd80058b56c2b4af4823dd53e56bb6b19198ba0d3bc6052d5a66900b0b614
Instruction ID: 775841c25bfe4767e4e32bb728dd1bb85d85f4ae90bf4c025c1a563f76b18d4f
Opcode Fuzzy Hash: 38bdd80058b56c2b4af4823dd53e56bb6b19198ba0d3bc6052d5a66900b0b614
Instruction Fuzzy Hash: FA21A131A002589BCB11EF94C845BEE7BF89F49714F14401AE409B7282DBF8998A8FB1

Function 00DE901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DE9036
__fread_nolock.LIBCMT ref: 00DE904B

Strings

EA06, xrefs: 00DE907D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 624603420f45af7e89a45aa26002dddc1822978b9f3d8b3d1ba55c2e8e3f23ef
Instruction ID: fe4d0e0771e6e957c343ece2b1c1cf5a0c85c2b1d1916460274239201f5d9124
Opcode Fuzzy Hash: 624603420f45af7e89a45aa26002dddc1822978b9f3d8b3d1ba55c2e8e3f23ef
Instruction Fuzzy Hash: 4701F9718042586EDB28C7A8D81AEEEBBF8DB01301F00419AF592D2181E579E604C770

Function 00DE9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00DE9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DE9B99

Strings

aut, xrefs: 00DE9B93

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5b6bdc339df22a000ea19b1604c4caed683f62fc70acb65e16347f888b081166
Instruction ID: 3512d8b8b76f0ca71c28307e130f91d8772d1cfe4b204a3887a01fd4ca02b927
Opcode Fuzzy Hash: 5b6bdc339df22a000ea19b1604c4caed683f62fc70acb65e16347f888b081166
Instruction Fuzzy Hash: 18D05B7554030DAFDB209B90DC0DF96772CD704701F0041B1FE54A10A1DDB155E88B91

Function 00DFCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4a203b00635a2fa7351d6a3cd748bf10754dafe0a94ae6bc18bb1fa6a06beb
Instruction ID: 566f275102be9e3d4566e8adb355eabd767012aef0a7f619537692b72376b376
Opcode Fuzzy Hash: ba4a203b00635a2fa7351d6a3cd748bf10754dafe0a94ae6bc18bb1fa6a06beb
Instruction Fuzzy Hash: 59F15A709083459FC714DF28C480A6ABBE6FF88314F15892EF9999B351D731E945CFA2

Function 00D843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D84401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D844A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D844C3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 06e5e00596ae02eb125cdc375eb5a305d74a7ac936dfbb47536f55d7f9d4a6a8
Instruction ID: c1ffed56e8b7c18974b07b03f44c0e70475ca3658616a2db319c31a96b4d42f0
Opcode Fuzzy Hash: 06e5e00596ae02eb125cdc375eb5a305d74a7ac936dfbb47536f55d7f9d4a6a8
Instruction Fuzzy Hash: 433193B05047019FD720EF65D88479BBBF8FB4A304F04092EF59A93250E7B1A948CB66

Function 00DA594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00DA5963

Part of subcall function 00DAA3AB: __NMSG_WRITE.LIBCMT ref: 00DAA3D2
Part of subcall function 00DAA3AB: __NMSG_WRITE.LIBCMT ref: 00DAA3DC

__NMSG_WRITE.LIBCMT ref: 00DA596A

Part of subcall function 00DAA408: GetModuleFileNameW.KERNEL32(00000000,00E443BA,00000104,?,00000001,00000000), ref: 00DAA49A
Part of subcall function 00DAA408: ___crtMessageBoxW.LIBCMT ref: 00DAA548

Part of subcall function 00DA32DF: ___crtCorExitProcess.LIBCMT ref: 00DA32E5
Part of subcall function 00DA32DF: ExitProcess.KERNEL32 ref: 00DA32EE

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

RtlAllocateHeap.NTDLL(01870000,00000000,00000001,00000000,?,?,?,00DA1013,?), ref: 00DA598F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3d2e423ae1580455835248b677510b53003f961f88b56fd8d225abee310daa58
Instruction ID: 01a9ac8fea75d46a4d9af31022749ec1be02b2f134eda7092e666420db38761a
Opcode Fuzzy Hash: 3d2e423ae1580455835248b677510b53003f961f88b56fd8d225abee310daa58
Instruction Fuzzy Hash: EF01DE36301B12EEEA217B69F842B6F7299CF43770F14012AF901AE1D2DBB09D019B74

Function 00DE9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00DE97D2,?,?,?,?,?,00000004), ref: 00DE9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00DE9B5B
CloseHandle.KERNEL32(00000000,?,00DE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DE9B62

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d7fc6adc818d9f8bb71ea76e779528a5a060b85110fc638c29a7d6d35a6c1fd7
Instruction ID: 164f0a2d7f66dbe40577a6b4536a40a59ee7b2d9863cfe92e966ea4b67dd2985
Opcode Fuzzy Hash: d7fc6adc818d9f8bb71ea76e779528a5a060b85110fc638c29a7d6d35a6c1fd7
Instruction Fuzzy Hash: 92E08632181314BBD7312B55EC09FCA7B18AB05B71F144220FB54790E187B225659798

Function 00DE8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00DE8FA5

Part of subcall function 00DA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA9C64), ref: 00DA2FA9
Part of subcall function 00DA2F95: GetLastError.KERNEL32(00000000,?,00DA9C64), ref: 00DA2FBB

_free.LIBCMT ref: 00DE8FB6
_free.LIBCMT ref: 00DE8FC8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: 67ea251c55f438e19ae670255e78cc06faaccd19a394bdd063a1fa6ee26d3bc2
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: A4E017A1709B414ECA24B67FAD40AA367EE9F89360B1C081EB90DDB182DE24E8419138

Function 00D8AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00DC002B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 75e9bd1be72093ee72d970171a4d132ce37bf9f0761ca426ee2317da206a1052
Instruction ID: 464e11d3e5ade94cd9ba58b0b4feca1ec0886cf7876c7f61a4ea3e51e7fe6cf0
Opcode Fuzzy Hash: 75e9bd1be72093ee72d970171a4d132ce37bf9f0761ca426ee2317da206a1052
Instruction Fuzzy Hash: 1C223874508341DFD724EF18C495B2ABBE1FF85310F19895EE8968B262D731EC85CBA2

Function 00D8492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00D84992

Part of subcall function 00DA35AC: __lock.LIBCMT ref: 00DA35B2
Part of subcall function 00DA35AC: DecodePointer.KERNEL32(00000001,?,00D849A7,00DD81BC), ref: 00DA35BE
Part of subcall function 00DA35AC: EncodePointer.KERNEL32(?,?,00D849A7,00DD81BC), ref: 00DA35C9

Part of subcall function 00D84A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D84A73
Part of subcall function 00D84A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D84A88

Part of subcall function 00D83B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D83B7A
Part of subcall function 00D83B4C: IsDebuggerPresent.KERNEL32 ref: 00D83B8C
Part of subcall function 00D83B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E462F8,00E462E0,?,?), ref: 00D83BFD
Part of subcall function 00D83B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00D83C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D849D2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 29cf579535ddf4444df481fd6027daf36300158395890a43c4e57dc5a2bd3e01
Instruction ID: be0ef5a4d397173f08421f933eea6129daff1d44711db09424f5a2d5945bf86e
Opcode Fuzzy Hash: 29cf579535ddf4444df481fd6027daf36300158395890a43c4e57dc5a2bd3e01
Instruction Fuzzy Hash: 7B11CD71918301AFC300EF6AEC4591AFBE8EF96710F00451EF095A72B1DBB0954ACBA6

Function 00D85DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00D85981,?,?,?,?), ref: 00D85E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00D85981,?,?,?,?), ref: 00DBE19C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 74c363dd5a839cd0e79fbf208e93541acc8f6b5c73d894e1f0efa07e8a98c644
Instruction ID: 325007596609d60f56a8ceb35106efebcbe2e5bd0c6300907d92be2743071bd9
Opcode Fuzzy Hash: 74c363dd5a839cd0e79fbf208e93541acc8f6b5c73d894e1f0efa07e8a98c644
Instruction Fuzzy Hash: 8101B970244708BEF7255E24DC86FA6379CEB0176CF148314FAE56A1D0C6B05D498B60

Function 00DA0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DA594C: __FF_MSGBANNER.LIBCMT ref: 00DA5963
Part of subcall function 00DA594C: __NMSG_WRITE.LIBCMT ref: 00DA596A
Part of subcall function 00DA594C: RtlAllocateHeap.NTDLL(01870000,00000000,00000001,00000000,?,?,?,00DA1013,?), ref: 00DA598F

std::exception::exception.LIBCMT ref: 00DA102C
__CxxThrowException@8.LIBCMT ref: 00DA1041

Part of subcall function 00DA87DB: RaiseException.KERNEL32(?,?,?,00E3BAF8,00000000,?,?,?,?,00DA1046,?,00E3BAF8,?,00000001), ref: 00DA8830

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: bac6a18813aac0313175ad897ee03017c344779c53d807eb37bbb1daa8fcb6d3
Instruction ID: 4d8b933e4d6b19b8efdf3e9198e54bb1734ab162b77e1d57897d004f142089dc
Opcode Fuzzy Hash: bac6a18813aac0313175ad897ee03017c344779c53d807eb37bbb1daa8fcb6d3
Instruction Fuzzy Hash: 63F0C23950031DA6CB21BB98EC069DF7BACDF02351F24042AFD05A6592EFB18AD096F4

Function 00DA582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA585C
__lock_file.LIBCMT ref: 00DA587D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 9126d57842a712e1ca59c0c7982a7678d8259d9585333f48b401e30d9237c8de
Instruction ID: fdd0b8740f51ddd9fc589994d47d01ace529a43c2059b6a6dc24492ba7dd2c23
Opcode Fuzzy Hash: 9126d57842a712e1ca59c0c7982a7678d8259d9585333f48b401e30d9237c8de
Instruction Fuzzy Hash: 56014471C01609EBCF22AF799C0559E7B61EF42760F188215F8146A1A5DB35CA21EBB1

Function 00DA55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

__lock_file.LIBCMT ref: 00DA561B

Part of subcall function 00DA6E4E: __lock.LIBCMT ref: 00DA6E71

__fclose_nolock.LIBCMT ref: 00DA5626

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7b747138d718a095c7d01e09cfad3d04dd22f7f160d78ff420edc02132961bd6
Instruction ID: 558d60d47172445140af96fa12cda9d26c6a18aa9e69e02d8760fc306365812f
Opcode Fuzzy Hash: 7b747138d718a095c7d01e09cfad3d04dd22f7f160d78ff420edc02132961bd6
Instruction Fuzzy Hash: 43F0B471801B059ADB20AF75A80676E77A1AF43334F5D8209E855AB1C5CF7C8A01AB75

Function 0179129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01791ACD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01791AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01791B13

Memory Dump Source

Source File: 00000000.00000002.1649037406.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1790000_rnoahcrypter.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction ID: e617f711ff347fae6e96d7fb792e736441df5238d3e06348d27518de52fcefcd
Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
Instruction Fuzzy Hash: 7612EE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A4F95CF5A

Function 00D92123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5d119cc7a4e82f3cc5f6fda6f50bd9b1a01cfeedbd162e2b1d4aa73ec7f051
Instruction ID: 3e37c799f41a9712bb39b702df02d54334dc54d2823af083fbb67d08108bcc09
Opcode Fuzzy Hash: fd5d119cc7a4e82f3cc5f6fda6f50bd9b1a01cfeedbd162e2b1d4aa73ec7f051
Instruction Fuzzy Hash: 44515C35600604AFCF14FB64C992FBE77A5EF85710F188168F946AB292DA30ED008B75

Function 00D8766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D8774A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ff4398cb78296a2dbd202ebd1e29aa3c893a1f701c43b194804ea4deae2e0d62
Instruction ID: 6995dad9d0749770a3f7bfa30e4c265b5f08cda261b80b2d05d950ba8231b1f7
Opcode Fuzzy Hash: ff4398cb78296a2dbd202ebd1e29aa3c893a1f701c43b194804ea4deae2e0d62
Instruction Fuzzy Hash: 38319679208A02DFC724AF19C491921F7E0FF49310B25C56DE99A8B765E730D881DB74

Function 00D85C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00D85CF6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6c31ae073e5302fcacd98ed16b558f392b4938785e24008dcb08151e0ed14d2a
Instruction ID: b4e4fa1dd3324f766d2b4aedc002d24a4c00a5525dce61576d7bce14a8222343
Opcode Fuzzy Hash: 6c31ae073e5302fcacd98ed16b558f392b4938785e24008dcb08151e0ed14d2a
Instruction Fuzzy Hash: AA311C71A00B19EFCB18EF6DD48469DB7B5FF48310F188629D81993714D771A960DBA0

Function 00DC00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DC00E1

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7c73516546206c1d8547d48e553b0504026b7eca4111b9cc958507b683e6bc0e
Instruction ID: ea2a401ac751dd192b6cfcc914a7e4491acb5c439431758708fdbbe399b385a1
Opcode Fuzzy Hash: 7c73516546206c1d8547d48e553b0504026b7eca4111b9cc958507b683e6bc0e
Instruction Fuzzy Hash: BC411574604341DFDB24DF18C484B1ABBE0BF45318F09899DE8998B762D376EC95CB62

Function 00D880D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D88109

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
Instruction ID: 15746e5675c309c489fdb74a6d9d2fe48dfe1ae7953e295d89ed74f64e15ade9
Opcode Fuzzy Hash: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
Instruction Fuzzy Hash: B4114C79204705DFC724DF28D481916B7E9FF49354B60C82EE88ACB261DB32E841DB60

Function 00D84F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D84D13: FreeLibrary.KERNEL32(00000000,?), ref: 00D84D4D

Part of subcall function 00DA548B: __wfsopen.LIBCMT ref: 00DA5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84F6F

Part of subcall function 00D84CC8: FreeLibrary.KERNEL32(00000000), ref: 00D84D02

Part of subcall function 00D84DD0: _memmove.LIBCMT ref: 00D84E1A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a68c797b5abf95026f101737c863e828358e767ad2e927e273bb338a6c1581c0
Instruction ID: 7ef1711852e3ec4b7f3e982229c26309414fd0a1cb2bcf4b9907d1ae653fc345
Opcode Fuzzy Hash: a68c797b5abf95026f101737c863e828358e767ad2e927e273bb338a6c1581c0
Instruction Fuzzy Hash: 1E110A31601306ABCB10FF70DC12FAE77A9DF84701F10842DF581A61C5DA759A159B70

Function 00DC01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00DC01BB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 841703d70c6a67144592013988fd927b21c3c427657c48fc05ba9b1a5dd1436f
Instruction ID: 343b0a76555e9757ff632ac5ff4c8eb3c2059c1eb85b2e8208c41895ecc7d0a6
Opcode Fuzzy Hash: 841703d70c6a67144592013988fd927b21c3c427657c48fc05ba9b1a5dd1436f
Instruction Fuzzy Hash: 8E212274608342CFDB25EF58C445B1ABBE0BF85304F09896DF89A57721D731E855CB62

Function 00DA0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DA09F4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: b6473276fa53d9ca10ca2538c9423d5a15ea40cc5ecfbb0b43ae38089b90c7a2
Instruction ID: 1bbcc720301d22e3b3ae1ccce796d46d06508f53ac77da1a3787c65a647751fb
Opcode Fuzzy Hash: b6473276fa53d9ca10ca2538c9423d5a15ea40cc5ecfbb0b43ae38089b90c7a2
Instruction Fuzzy Hash: E001B132089248CFCB12DB94E8E86C03FB5EF4B32831851DAD8C08B436CE66591EE771

Function 00D85D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00D85807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00D85D76

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 26a9bebb971d308093f1dbe3938e2d3222b6194484fd8b4d1c3124c628e74c3a
Instruction ID: 2aef0c6f8d08a187c6d87875f5ffc7f943059031692b3f2734f1a3d54f586127
Opcode Fuzzy Hash: 26a9bebb971d308093f1dbe3938e2d3222b6194484fd8b4d1c3124c628e74c3a
Instruction Fuzzy Hash: A9113631200B019FD3309F15E888B66B7E9EF45760F14C92EE8AA8BA54D7B1F945CB60

Function 00DA4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00DA4AD6

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 00c7a885d817cb500c6f223f95896ebbe5b15dfe4c8ebc16cfc9bb3d30427012
Instruction ID: d426c4af7f83bfed5a22279c7821762cd411cc8aa246b8a7673be4d38c5846e1
Opcode Fuzzy Hash: 00c7a885d817cb500c6f223f95896ebbe5b15dfe4c8ebc16cfc9bb3d30427012
Instruction Fuzzy Hash: 31F044319402099BDF51AFA4CC0679F7661EF42329F188518B814AB1D1DBB88A61DF75

Function 00D84FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00E462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84FDE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: edb61e297691e26331ae7e838a1d72811363dfc5787b5415cce72d9c158f7aef
Instruction ID: 53e5209d9eade566973304f3bfa2231063f19b9c4b647bc4b94a3917bad90dc1
Opcode Fuzzy Hash: edb61e297691e26331ae7e838a1d72811363dfc5787b5415cce72d9c158f7aef
Instruction Fuzzy Hash: E9F03972505722DFCB34AF64E494812BBE1BF153293248A3EE2D682A10C732A894DF60

Function 00DA09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DA09F4

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 0e88ac5371afa81e12013b8e58a8a02104c0befee9460aa73df5c9e99f9ef03d
Instruction ID: bd3b62ba244b508a4ba908da8f49a754559fd65ba758f4e9abcdcfa3c5ad8862
Opcode Fuzzy Hash: 0e88ac5371afa81e12013b8e58a8a02104c0befee9460aa73df5c9e99f9ef03d
Instruction Fuzzy Hash: 14E0CD369042289BC720E698DC05FFA77EDDF89790F0401B5FC0CD7215D961AC9186B0

Function 00DE9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00DE914B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 961577e1da061bbe4bfd2a68a9d00eb7cf1a58df790fb80f605b6212b083294b
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 30E092B0104B405FD7359A24D8107E3B3E0FB06315F04081CF29A83341EB6278418769

Function 00D85DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00DBE16B,?,?,00000000), ref: 00D85DBF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ac6c8104ce237a6be395baf37ac745cccd49805db712abf49d743c9630855ede
Instruction ID: 51601593d38a9f6e93e4c96358031e9c2e5044d108512373f3899bfe9dc91b59
Opcode Fuzzy Hash: ac6c8104ce237a6be395baf37ac745cccd49805db712abf49d743c9630855ede
Instruction Fuzzy Hash: 15D0C77464020CBFE710DB81DC46FA9777CD705710F100294FD4466690D6B27D548795

Function 00DA548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00DA5496

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 63cfdcc7d1144180ce075cd8af074ee6c9479a7d660c222e778485c59be2e76c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 08B0927684020C7BDE012E82FC02A593F199B45678F808020FB0C18162A6B3A6A096A9

Function 00DED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00DED46A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be474a5fd9b8cae1b570c1d9c6ad4b3e2f23a40df14ac75d66b1b111ba093eb3
Instruction ID: 23f1011665418c02aa3e1dff0eee6f5160bd9026969d85c4fad0eb066c6f7e22
Opcode Fuzzy Hash: be474a5fd9b8cae1b570c1d9c6ad4b3e2f23a40df14ac75d66b1b111ba093eb3
Instruction Fuzzy Hash: A4715C342043419FC714FF25D491A6AB7E1EF99714F18492CF8969B2A2DF30E909CB72

Function 00DA0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00DA0EF7

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ca025a722f3a7a9facdd13617661776d7571fcaac1a83f890ac08162ea8fcb67
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1931F671A00105DFCB18DF58D480969FBB6FF5A300B688AA5E449DB651D731EEC1DBE0

Function 017922A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017922B1

Memory Dump Source

Source File: 00000000.00000002.1649037406.0000000001790000.00000040.00001000.00020000.00000000.sdmp, Offset: 01790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1790000_rnoahcrypter.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f9a604de337077ba0e743296c6529c488d963220d4b3e5c7568dcb377a048a66
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B2E0E67494410EEFDB00EFB4D54969E7FB4EF04301F1001A1FD01D2281D6309D508A72

Non-executed Functions

Function 00E0CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E0CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E0CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E0CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E0CF00
SendMessageW.USER32 ref: 00E0CF29
_wcsncpy.LIBCMT ref: 00E0CFA1
GetKeyState.USER32(00000011), ref: 00E0CFC2
GetKeyState.USER32(00000009), ref: 00E0CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E0CFE5
GetKeyState.USER32(00000010), ref: 00E0CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E0D018
SendMessageW.USER32 ref: 00E0D03F
SendMessageW.USER32(?,00001030,?,00E0B602), ref: 00E0D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E0D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E0D16E
SetCapture.USER32(?), ref: 00E0D177
ClientToScreen.USER32(?,?), ref: 00E0D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E0D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E0D203
ReleaseCapture.USER32 ref: 00E0D20E
GetCursorPos.USER32(?), ref: 00E0D248
ScreenToClient.USER32(?,?), ref: 00E0D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E0D2B1
SendMessageW.USER32 ref: 00E0D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E0D31C
SendMessageW.USER32 ref: 00E0D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E0D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E0D37B
GetCursorPos.USER32(?), ref: 00E0D39B
ScreenToClient.USER32(?,?), ref: 00E0D3A8
GetParent.USER32(?), ref: 00E0D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E0D431
SendMessageW.USER32 ref: 00E0D462
ClientToScreen.USER32(?,?), ref: 00E0D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E0D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E0D51A
SendMessageW.USER32 ref: 00E0D53D
ClientToScreen.USER32(?,?), ref: 00E0D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E0D5C3

Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC

GetWindowLongW.USER32(?,000000F0), ref: 00E0D65F

Strings

F, xrefs: 00E0D543
pr, xrefs: 00E0D1BD
@GUI_DRAGID, xrefs: 00E0D1AA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 3977979337-1436871235
Opcode ID: 74c36bf38e9a2e82f0457b63830d09e373d9b02dbe0ffd99e06b0d2bbf8075a2
Instruction ID: fc589fed04ee71e20443ae2887cbb1f8e078ba7590d5977abff11cf7b950f774
Opcode Fuzzy Hash: 74c36bf38e9a2e82f0457b63830d09e373d9b02dbe0ffd99e06b0d2bbf8075a2
Instruction Fuzzy Hash: BB42AF34204341AFD725CF68DC44EAABBE5FF49318F24161DF695A72E0C7329896CB92

Function 00E0804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E0873F

Strings

%d/%02d/%02d, xrefs: 00E08478

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: f324eee5606f9628a2d7df8361d0c4087f1f95a4e5d5621b0f164c5c7579ac59
Instruction ID: 65e7a331459fbe8846a49b63cbb9e02d56ef1c6c6224ad6d4ea18bd356ea3233
Opcode Fuzzy Hash: f324eee5606f9628a2d7df8361d0c4087f1f95a4e5d5621b0f164c5c7579ac59
Instruction Fuzzy Hash: FF12E170500204AFEB248F25DD49FAA7BB8EF49714F246129F995FB2E0DF718985CB60

Function 00D9710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D975C2
_memset.LIBCMT ref: 00D976B1
_memmove.LIBCMT ref: 00D97C4B
_memmove.LIBCMT ref: 00D97E4F

Strings

0w, xrefs: 00DD1F5B
\b(?=\w), xrefs: 00DD3C34
Q\E, xrefs: 00D981C1
[:>:]], xrefs: 00D9760A
[:<:]], xrefs: 00D975F1
DEFINE, xrefs: 00DD25AF
\b(?<=\w), xrefs: 00DD3C41

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3460961967
Opcode ID: d386ff5b8ed62b9cd9e06f85e46f4dcf199772224c1cd11c380beaa9355cc93a
Instruction ID: a3c27abbaed6b92415b53441f351e37809a963bdcf8923ef1fb82f614571fff0
Opcode Fuzzy Hash: d386ff5b8ed62b9cd9e06f85e46f4dcf199772224c1cd11c380beaa9355cc93a
Instruction Fuzzy Hash: 6E939075A04215DBDF24CF98C881BADB7B1FF58710F29816BE955AB380E7709E81CB60

Function 00D84A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00D84A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DBDA8E
IsIconic.USER32(?), ref: 00DBDA97
ShowWindow.USER32(?,00000009), ref: 00DBDAA4
SetForegroundWindow.USER32(?), ref: 00DBDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DBDAC4
GetCurrentThreadId.KERNEL32 ref: 00DBDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DBDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DBDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00DBDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00DBDAF8
SetForegroundWindow.USER32(?), ref: 00DBDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBDB10
keybd_event.USER32(00000012,00000000), ref: 00DBDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBDB25
keybd_event.USER32(00000012,00000000), ref: 00DBDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBDB33
keybd_event.USER32(00000012,00000000), ref: 00DBDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DBDB42
keybd_event.USER32(00000012,00000000), ref: 00DBDB47
SetForegroundWindow.USER32(?), ref: 00DBDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00DBDB71

Strings

Shell_TrayWnd, xrefs: 00DBDA89

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: be3fc0d4291064f6446993747df3ced5ed878e42dac2f4ec207b62a218714b88
Instruction ID: 0b73ddd8b4e5eee6ed774a7625cd0ed30dd5be26d9623e87e92737924d3eee0f
Opcode Fuzzy Hash: be3fc0d4291064f6446993747df3ced5ed878e42dac2f4ec207b62a218714b88
Instruction Fuzzy Hash: C5318471A40318BEEB306F629C49FBE7E6DEB44B50F154025FA01B61D0D6B25D50ABA4

Function 00DD8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00DD8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD8D0D
Part of subcall function 00DD8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD8D3A
Part of subcall function 00DD8CC3: GetLastError.KERNEL32 ref: 00DD8D47

_memset.LIBCMT ref: 00DD889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00DD88ED
CloseHandle.KERNEL32(?), ref: 00DD88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DD8915
GetProcessWindowStation.USER32 ref: 00DD892E
SetProcessWindowStation.USER32(00000000), ref: 00DD8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DD8952

Part of subcall function 00DD8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD8851), ref: 00DD8728
Part of subcall function 00DD8713: CloseHandle.KERNEL32(?,?,00DD8851), ref: 00DD873A

Strings

default, xrefs: 00DD894D
winsta0, xrefs: 00DD8910
, xrefs: 00DD88AA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6d2e682cad8769d5433f5c457da6ef368c75e88fa381af7ecf56111d72e95af0
Instruction ID: b273a93c12f9dd65c2150e828b7617fc1bcf85d5e035ba197a94430d316a5358
Opcode Fuzzy Hash: 6d2e682cad8769d5433f5c457da6ef368c75e88fa381af7ecf56111d72e95af0
Instruction Fuzzy Hash: 32812B71900209AFDF22DFA5DC45AEE7BB8EF04305F18516AF910B6261DB728E54EB70

Function 00DF425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E0F910), ref: 00DF4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00DF4292
GetClipboardData.USER32(0000000D), ref: 00DF429A
CloseClipboard.USER32 ref: 00DF42A6
GlobalLock.KERNEL32(00000000), ref: 00DF42C2
CloseClipboard.USER32 ref: 00DF42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00DF42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00DF42EE
GetClipboardData.USER32(00000001), ref: 00DF42F6
GlobalLock.KERNEL32(00000000), ref: 00DF4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00DF4337
CloseClipboard.USER32 ref: 00DF4447

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 7fde287bead2c464e159d081c9d7e6fd04db4bc1b29435b95136cb2cafa4f465
Instruction ID: f36dff78499339b814d4debfa20f107493df9bf9b8a20e308ce46fa69f2493fb
Opcode Fuzzy Hash: 7fde287bead2c464e159d081c9d7e6fd04db4bc1b29435b95136cb2cafa4f465
Instruction Fuzzy Hash: 3F51BE31204205AFD320FF61EC95F7F77A8EB84B00F158529F696E21A1DB71D9488BB2

Function 00DEC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DEC9F8
FindClose.KERNEL32(00000000), ref: 00DECA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DECA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DECA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DECAAF
__swprintf.LIBCMT ref: 00DECAFB
__swprintf.LIBCMT ref: 00DECB3E

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

__swprintf.LIBCMT ref: 00DECB92

Part of subcall function 00DA38D8: __woutput_l.LIBCMT ref: 00DA3931

__swprintf.LIBCMT ref: 00DECBE0

Part of subcall function 00DA38D8: __flsbuf.LIBCMT ref: 00DA3953
Part of subcall function 00DA38D8: __flsbuf.LIBCMT ref: 00DA396B

__swprintf.LIBCMT ref: 00DECC2F
__swprintf.LIBCMT ref: 00DECC7E
__swprintf.LIBCMT ref: 00DECCCD

Strings

%02d, xrefs: 00DECB86, 00DECB90, 00DECBDE, 00DECC2D, 00DECC7C, 00DECCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00DECAF5
%4d, xrefs: 00DECB38

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 927f45f40e1f96b97efd29a03ada1f98b4ce561c111c0234fa7916d55bbd29de
Instruction ID: ef1fb164dba5dce134d327244cde38e330673f23989fe1cba2e81607e9794fb2
Opcode Fuzzy Hash: 927f45f40e1f96b97efd29a03ada1f98b4ce561c111c0234fa7916d55bbd29de
Instruction Fuzzy Hash: 02A13DB2508344ABC714FBA5C895DBFB7ECEF94700F440929F58692191EB34EA49CB72

Function 00DEF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DEF221
_wcscmp.LIBCMT ref: 00DEF236
_wcscmp.LIBCMT ref: 00DEF24D
GetFileAttributesW.KERNEL32(?), ref: 00DEF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00DEF279
FindNextFileW.KERNEL32(00000000,?), ref: 00DEF291
FindClose.KERNEL32(00000000), ref: 00DEF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00DEF2B8
_wcscmp.LIBCMT ref: 00DEF2DF
_wcscmp.LIBCMT ref: 00DEF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00DEF308
SetCurrentDirectoryW.KERNEL32(00E3A5A0), ref: 00DEF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DEF330
FindClose.KERNEL32(00000000), ref: 00DEF33D
FindClose.KERNEL32(00000000), ref: 00DEF34F

Strings

*.*, xrefs: 00DEF2B3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 9bca8a91b9969f5c30be0fcc9f3502244aea3bc241d9ab57bac596853a26efb7
Instruction ID: 8f29cb5b9819a7966cc9964fd09d78632e8febe1e75a19144da1a06f77b0ae58
Opcode Fuzzy Hash: 9bca8a91b9969f5c30be0fcc9f3502244aea3bc241d9ab57bac596853a26efb7
Instruction Fuzzy Hash: CA31E3765002496FDB20EBB2DC48ADE77ACAF09321F180175F914E30A0EB31DA95CA74

Function 00E00AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E00BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E0F910,00000000,?,00000000,?,?), ref: 00E00C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E00C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E00D1D
RegCloseKey.ADVAPI32(?), ref: 00E0103D
RegCloseKey.ADVAPI32(00000000), ref: 00E0104A

Strings

REG_BINARY, xrefs: 00E00FD8
REG_MULTI_SZ, xrefs: 00E00E05
REG_QWORD, xrefs: 00E00F8B
REG_SZ, xrefs: 00E00D5B
REG_EXPAND_SZ, xrefs: 00E00CBA
REG_DWORD, xrefs: 00E00F0E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d6a12b0a76fa0856a57de1a001018d5434ab1e8827f830757c610333d8b85f4a
Instruction ID: da4728d917af9f572006a5365b59dc8c1568e720cf31f3b9cfeff7d2a0519ec0
Opcode Fuzzy Hash: d6a12b0a76fa0856a57de1a001018d5434ab1e8827f830757c610333d8b85f4a
Instruction Fuzzy Hash: 52025F752006119FCB14EF24C895E2AB7E5FF89714F04985DF88AAB3A1CB34ED45CBA1

Function 00DEF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DEF37E
_wcscmp.LIBCMT ref: 00DEF393
_wcscmp.LIBCMT ref: 00DEF3AA

Part of subcall function 00DE45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DE45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00DEF3D9
FindClose.KERNEL32(00000000), ref: 00DEF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00DEF400
_wcscmp.LIBCMT ref: 00DEF427
_wcscmp.LIBCMT ref: 00DEF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00DEF450
SetCurrentDirectoryW.KERNEL32(00E3A5A0), ref: 00DEF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DEF478
FindClose.KERNEL32(00000000), ref: 00DEF485
FindClose.KERNEL32(00000000), ref: 00DEF497

Strings

*.*, xrefs: 00DEF3FB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: a3a434ee49b8e6c55a36c7ac38b90926950f2a114166dcf4b23009c4c947dedd
Instruction ID: d7cfebe2d53b3b2372f2eb1574da119cf7073bbbe24e8c12b75943ccb816ce16
Opcode Fuzzy Hash: a3a434ee49b8e6c55a36c7ac38b90926950f2a114166dcf4b23009c4c947dedd
Instruction Fuzzy Hash: DA31E5725012596FCB20BFA6EC88ADE77AC9F49320F180175F840A30E0DB31DA94CA70

Function 00DD81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD8766
Part of subcall function 00DD874A: GetLastError.KERNEL32(?,00DD822A,?,?,?), ref: 00DD8770
Part of subcall function 00DD874A: GetProcessHeap.KERNEL32(00000008,?,?,00DD822A,?,?,?), ref: 00DD877F
Part of subcall function 00DD874A: HeapAlloc.KERNEL32(00000000,?,00DD822A,?,?,?), ref: 00DD8786
Part of subcall function 00DD874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD879D

Part of subcall function 00DD87E7: GetProcessHeap.KERNEL32(00000008,00DD8240,00000000,00000000,?,00DD8240,?), ref: 00DD87F3
Part of subcall function 00DD87E7: HeapAlloc.KERNEL32(00000000,?,00DD8240,?), ref: 00DD87FA
Part of subcall function 00DD87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DD8240,?), ref: 00DD880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DD825B
_memset.LIBCMT ref: 00DD8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DD828F
GetLengthSid.ADVAPI32(?), ref: 00DD82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00DD82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DD82F9
GetLengthSid.ADVAPI32(?), ref: 00DD8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DD8325
HeapAlloc.KERNEL32(00000000), ref: 00DD832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DD834D
CopySid.ADVAPI32(00000000), ref: 00DD8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DD8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DD83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DD83BF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 41a51b0e44a868348efdf5d0561f3e9a2325e099312c285ca872be2869cbc4b1
Instruction ID: 6b48a028dc6d2c357200fffb631351ffd2c38fccf23e6aab457d6060dd294aad
Opcode Fuzzy Hash: 41a51b0e44a868348efdf5d0561f3e9a2325e099312c285ca872be2869cbc4b1
Instruction Fuzzy Hash: E7616971900209AFDF11DFA5DC84AEEBBB9FF04700F04812AF815E7291DB319A25DB60

Function 00D96843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00DD16FA
LIMIT_MATCH=, xrefs: 00DD15A9
ANYCRLF), xrefs: 00DD1734
PJ, xrefs: 00D968B3
NO_START_OPT), xrefs: 00DD1588
NO_AUTO_POSSESS), xrefs: 00DD1567
UTF), xrefs: 00DD1533
ANY), xrefs: 00DD1717
LIMIT_RECURSION=, xrefs: 00DD1635
UCP), xrefs: 00DD1546
UTF16), xrefs: 00DD1508
CR), xrefs: 00DD16C0
BSR_UNICODE), xrefs: 00DD1771
BSR_ANYCRLF), xrefs: 00DD1757
LF), xrefs: 00DD16DD

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$PJ$UCP)$UTF)$UTF16)
API String ID: 0-1624373025
Opcode ID: 77e27515c62e1d223dc9961997055d051867e01fb5998cc167330e222a4bd066
Instruction ID: 6cabc60841d4a7985e165c7c10634ab6163673bc8407d41f58278c7cf81ed402
Opcode Fuzzy Hash: 77e27515c62e1d223dc9961997055d051867e01fb5998cc167330e222a4bd066
Instruction Fuzzy Hash: 7E725F75E00219EBDF24CF59C8907AEB7B5EF48710F14816AE959EB390E770D981CBA0

Function 00DB418A Relevance: 18.3, APIs: 12, Instructions: 273timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00DB41AF

Part of subcall function 00DA9E4B: __mtinitlocknum.LIBCMT ref: 00DA9E5D
Part of subcall function 00DA9E4B: EnterCriticalSection.KERNEL32(00000000,?,00DA9CBC,0000000D), ref: 00DA9E76

____lc_codepage_func.LIBCMT ref: 00DB41F6
__getenv_helper_nolock.LIBCMT ref: 00DB4217
_free.LIBCMT ref: 00DB424A

Part of subcall function 00DA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DA9C64), ref: 00DA2FA9
Part of subcall function 00DA2F95: GetLastError.KERNEL32(00000000,?,00DA9C64), ref: 00DA2FBB

_strlen.LIBCMT ref: 00DB4251
__malloc_crt.LIBCMT ref: 00DB4258
_strlen.LIBCMT ref: 00DB4276
__invoke_watson.LIBCMT ref: 00DB4299
_free.LIBCMT ref: 00DB42A8
GetTimeZoneInformation.KERNEL32(00E44AF8,00000000,00000000,00000000,00000000,00000000,00E3C070,00000030,00DB3F3B,00E3C050,00000008,00DA70B8), ref: 00DB42B9
WideCharToMultiByte.KERNEL32(?,00000000,00E44AFC,000000FF,?,0000003F,00000000,?), ref: 00DB4332
WideCharToMultiByte.KERNEL32(?,00000000,00E44B50,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 00DB436B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ByteCharMultiWide_free_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone____lc_codepage_func__getenv_helper_nolock__invoke_watson__lock__malloc_crt__mtinitlocknum
String ID:
API String ID: 2302051780-0
Opcode ID: 94cadca67863b5ca29708e29d6bff8d4c56dd38d075fb81ac7d2d40e5aa0438e
Instruction ID: 85319c4f3ad8638f535e1b1b750dd65a59965e32900bc3f06a9ff55cda3b7a98
Opcode Fuzzy Hash: 94cadca67863b5ca29708e29d6bff8d4c56dd38d075fb81ac7d2d40e5aa0438e
Instruction Fuzzy Hash: B3A18DB1940205DEDF15DFA9D881BEDBBB8EF0A710F18002AE452B7292DB748946DB35

Function 00E00665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E00038,?,?), ref: 00E010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E00737

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E007D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E0086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E00AAD
RegCloseKey.ADVAPI32(00000000), ref: 00E00ABA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 5672ce20d5e7c44349a1a6dc00d838aaee6ebee50946fa44131318960b727d8d
Instruction ID: d831655c79f2383b06ef2c37f893436b78303a2a5668cf4487e0613c5cd1abb2
Opcode Fuzzy Hash: 5672ce20d5e7c44349a1a6dc00d838aaee6ebee50946fa44131318960b727d8d
Instruction Fuzzy Hash: 24E13E31204210AFCB14EF25C895E6ABBF4EF89714F04956DF48ADB2A2DB31E945CB61

Function 00DE0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DE0241
GetAsyncKeyState.USER32(000000A0), ref: 00DE02C2
GetKeyState.USER32(000000A0), ref: 00DE02DD
GetAsyncKeyState.USER32(000000A1), ref: 00DE02F7
GetKeyState.USER32(000000A1), ref: 00DE030C
GetAsyncKeyState.USER32(00000011), ref: 00DE0324
GetKeyState.USER32(00000011), ref: 00DE0336
GetAsyncKeyState.USER32(00000012), ref: 00DE034E
GetKeyState.USER32(00000012), ref: 00DE0360
GetAsyncKeyState.USER32(0000005B), ref: 00DE0378
GetKeyState.USER32(0000005B), ref: 00DE038A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 91ce6b390e322b6b195e1bb2a8e2653e29590b183afa5f3a1c1c0a920bfda471
Instruction ID: c80619e435d9c7b99a8abc1771da35af81cfb6f0fd736bd58e5c38117d5d29eb
Opcode Fuzzy Hash: 91ce6b390e322b6b195e1bb2a8e2653e29590b183afa5f3a1c1c0a920bfda471
Instruction Fuzzy Hash: 0241D8245047CA6FFF31BA6688083A5BEE06F12340F4C409DD6C6565C2EBE59DC8C7B6

Function 00DF86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

CoInitialize.OLE32 ref: 00DF8718
CoUninitialize.OLE32 ref: 00DF8723
CoCreateInstance.OLE32(?,00000000,00000017,00E12BEC,?), ref: 00DF8783
IIDFromString.OLE32(?,?), ref: 00DF87F6
VariantInit.OLEAUT32(?), ref: 00DF8890
VariantClear.OLEAUT32(?), ref: 00DF88F1

Strings

Invalid parameter, xrefs: 00DF880F
Failed to create object, xrefs: 00DF878E, 00DF8844
NULL Pointer assignment, xrefs: 00DF87C8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: ef888b13a83c0dbc7c61d91f26cac449173756b8e2459885a7d52caf57889de0
Instruction ID: 0f3a3ace6f1ea27b011c1a205381958a1ce89eb9f35bfbe36280f37c8e397b58
Opcode Fuzzy Hash: ef888b13a83c0dbc7c61d91f26cac449173756b8e2459885a7d52caf57889de0
Instruction Fuzzy Hash: E161AD306083059FC710EF24D848B6ABBE4EF48754F158819FA85AB291CB30ED48DBB3

Function 00DF4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00DF447F
EmptyClipboard.USER32 ref: 00DF4485
GlobalAlloc.KERNEL32(00000002,?), ref: 00DF449A
CloseClipboard.USER32 ref: 00DF4539

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d74d416c37e3eaee139c2904e1a5f8a3cae46bed48ecaaff94c9129fd2c649ad
Instruction ID: a7896154e44703511a67a6f449216359f525018486c8f9be7ec3c2b624f1b2f5
Opcode Fuzzy Hash: d74d416c37e3eaee139c2904e1a5f8a3cae46bed48ecaaff94c9129fd2c649ad
Instruction Fuzzy Hash: 3221A3352002149FDB20AF65EC59B7A77A8EF44710F15C016F986EB271CB72EC51CBA5

Function 00DE3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D848A1,?,?,00D837C0,?), ref: 00D848CE

Part of subcall function 00DE4CD3: GetFileAttributesW.KERNEL32(?,00DE3947), ref: 00DE4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00DE3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00DE3B87
MoveFileW.KERNEL32(?,?), ref: 00DE3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00DE3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DE3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00DE3BF5

Strings

\*.*, xrefs: 00DE3A8A, 00DE3A93, 00DE3AA8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 43ddd51661723e899bdc17651cd6af5c7fc3b633531ca1990f32d651c78307bd
Instruction ID: 5db6f022de328879649e768630de07064e3bead9f0a5fb19298bbfbad25935a6
Opcode Fuzzy Hash: 43ddd51661723e899bdc17651cd6af5c7fc3b633531ca1990f32d651c78307bd
Instruction Fuzzy Hash: BC515E31805189AACB15FBA1DD969FDB7B8EF14300F6841A9E44277091EF31AF49CB70

Function 00DEF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00DEF6AB
Sleep.KERNEL32(0000000A), ref: 00DEF6DB
_wcscmp.LIBCMT ref: 00DEF6EF
_wcscmp.LIBCMT ref: 00DEF70A
FindNextFileW.KERNEL32(?,?), ref: 00DEF7A8
FindClose.KERNEL32(00000000), ref: 00DEF7BE

Strings

*.*, xrefs: 00DEF690

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 4c00cd0b93daeef36ab95ebf4b8a2aeb05400620030da6337e5c610f0ec18c7d
Instruction ID: 8f83e6a372442a24a20dcbe56c33087aea755767b2ccdddedcae79ffdb8d9ac2
Opcode Fuzzy Hash: 4c00cd0b93daeef36ab95ebf4b8a2aeb05400620030da6337e5c610f0ec18c7d
Instruction Fuzzy Hash: 8E416E7190024A9FCF15FF65CC89AEEBBB4FF05310F14456AE855A21A1DB309E94CBB0

Function 00D94140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D944ED
VUUU, xrefs: 00D944DB
VUUU, xrefs: 00DC7B0C
VUUU, xrefs: 00D94520
ERCP, xrefs: 00D9421F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: bc0b91d5d52450e184c8326d94ff90c5b484ee33dfd99d72d78037cc1f98db4b
Instruction ID: 0d996063db3685a960b0f0ac15cc108b542cf14f2003a0c9f643f05d5e6cf543
Opcode Fuzzy Hash: bc0b91d5d52450e184c8326d94ff90c5b484ee33dfd99d72d78037cc1f98db4b
Instruction Fuzzy Hash: 1EA27170E0421ACBDF24CF58C990FADB7B1BF55314F1881AAD85AA7281D7709E86DF60

Function 00D958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D95A05
_memmove.LIBCMT ref: 00D95A55
_memmove.LIBCMT ref: 00D95ABB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cfe194a36f7e8c2f89560e9120128cd14f1325f897b678124f75ec14744be4d9
Instruction ID: f13faf2ff9d510a285ad775522c8e491e8ab06c689805f5f84007652e6f05641
Opcode Fuzzy Hash: cfe194a36f7e8c2f89560e9120128cd14f1325f897b678124f75ec14744be4d9
Instruction Fuzzy Hash: 5F12B970A00609EFDF04DFA5E985AAEB7F5FF48300F14822AE446A7254EB35AD11CB70

Function 00DE545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD8D0D
Part of subcall function 00DD8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD8D3A
Part of subcall function 00DD8CC3: GetLastError.KERNEL32 ref: 00DD8D47

ExitWindowsEx.USER32(?,00000000), ref: 00DE549B

Strings

, xrefs: 00DE5489
@, xrefs: 00DE548E
SeShutdownPrivilege, xrefs: 00DE546B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e0b13322b74bd37023b84943dfcb4fdd58db1aef94b9ab150059fc10e586b49b
Instruction ID: 7ccb580187cf3e43cee4f7a19c01ae174ad2a2b7062b47e0e95eebcd92b32460
Opcode Fuzzy Hash: e0b13322b74bd37023b84943dfcb4fdd58db1aef94b9ab150059fc10e586b49b
Instruction Fuzzy Hash: 01014731654B456EF738727AFC4ABBA7258EB007C7F280031FC46E20D7DA914C8082B0

Function 00DF6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DF65EF
WSAGetLastError.WSOCK32(00000000), ref: 00DF65FE
bind.WSOCK32(00000000,?,00000010), ref: 00DF661A
listen.WSOCK32(00000000,00000005), ref: 00DF6629
WSAGetLastError.WSOCK32(00000000), ref: 00DF6643
closesocket.WSOCK32(00000000,00000000), ref: 00DF6657

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: f99b1e828ab24439993f6f05ad95c570c84eee9b9a7396ee10db575f414758fc
Instruction ID: 4398bee7cf8a422d87c2a36e305a526565e1b5f9f70c69db8cd85ee2c40451f8
Opcode Fuzzy Hash: f99b1e828ab24439993f6f05ad95c570c84eee9b9a7396ee10db575f414758fc
Instruction Fuzzy Hash: D2218D312002049FCB10EF64C885B7EB7A9EF44720F19819AEA96E7791CB70ED458B71

Function 00D95680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00DA0FF6: std::exception::exception.LIBCMT ref: 00DA102C
Part of subcall function 00DA0FF6: __CxxThrowException@8.LIBCMT ref: 00DA1041

_memmove.LIBCMT ref: 00DD062F
_memmove.LIBCMT ref: 00DD0744
_memmove.LIBCMT ref: 00DD07EB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: cb2d40439b093590caf7a8ca41603185e60a3bac5c487bd9201dd181e9693537
Instruction ID: 1b13a64c16c0129ed7a06308a0295dcbace4465b4603d04b798790a403a47edb
Opcode Fuzzy Hash: cb2d40439b093590caf7a8ca41603185e60a3bac5c487bd9201dd181e9693537
Instruction Fuzzy Hash: 69028170A00209EFDF05DF65E981AAE7BB5EF84300F148069E846EB355EB31DA55CBB1

Function 00D81287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00D819FA
GetSysColor.USER32(0000000F), ref: 00D81A4E
SetBkColor.GDI32(?,00000000), ref: 00D81A61

Part of subcall function 00D81290: DefDlgProcW.USER32(?,00000020,?), ref: 00D812D8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: edddbb312ec2e02623c7fc5dbdca84c9b252096d851405d7863dafd7f5af293a
Instruction ID: fc5bed83f67a4ff75c35b1e973ed2ff946fe3d38dadc7104fa14201e2bb9778a
Opcode Fuzzy Hash: edddbb312ec2e02623c7fc5dbdca84c9b252096d851405d7863dafd7f5af293a
Instruction Fuzzy Hash: 14A15578101545FEE62CBB29DC89DBF399CDB42351B28021BF443E61D2CA60DC4B93B6

Function 00DF6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DF80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DF6AB1
WSAGetLastError.WSOCK32(00000000), ref: 00DF6ADA
bind.WSOCK32(00000000,?,00000010), ref: 00DF6B13
WSAGetLastError.WSOCK32(00000000), ref: 00DF6B20
closesocket.WSOCK32(00000000,00000000), ref: 00DF6B34

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 70a20ead33ef0709745730f37bf1fbd98922f92b8a1bd0247f534f74f7e19fb9
Instruction ID: cffffc12405126459ee2a35f62f6ca3e39a3bfdf6679ae306bf2314464dcc8ab
Opcode Fuzzy Hash: 70a20ead33ef0709745730f37bf1fbd98922f92b8a1bd0247f534f74f7e19fb9
Instruction Fuzzy Hash: D741C575700214AFEB10BF64DC96F7EB7A8DB04710F488059FA5AAB3C2DA719D0187B1

Function 00E055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E0564C
IsWindowEnabled.USER32 ref: 00E0565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00E05667
IsIconic.USER32 ref: 00E05675
IsZoomed.USER32 ref: 00E05683

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9be49a70ea58abf76e48623f875d535bffdab0d5f01ebf02fe245d1b7c54aed3
Instruction ID: 247f6403d16839bdfae46aff22b5c16d4afbf38f4d6240e802bc073a80dc8b3a
Opcode Fuzzy Hash: 9be49a70ea58abf76e48623f875d535bffdab0d5f01ebf02fe245d1b7c54aed3
Instruction Fuzzy Hash: E211B2323009116FE7216F26EC44A6BB79CEF54721B445429F846E7281CB329D818EB5

Function 00DFC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DC1D88,?), ref: 00DFC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DFC324

Strings

GetSystemWow64DirectoryW, xrefs: 00DFC31E
kernel32.dll, xrefs: 00DFC30D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 1182ad106beda9f40dd4fab787898191bada16de60ad73eb06cea1af3641edf9
Instruction ID: 0c595e19e999cf9a9b3b036c461f2c307d936d8903c4de82138608b631fc05e8
Opcode Fuzzy Hash: 1182ad106beda9f40dd4fab787898191bada16de60ad73eb06cea1af3641edf9
Instruction Fuzzy Hash: 64E08C7421030BCFCB344B26C808A9676D4EF08394B84D439E986E2660E770D8A0CAB0

Function 00D93190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: fce009268e59b9931058722dc5a9f9875b7ce524168603a552c6689a6580f6cf
Instruction ID: c1140ec006a6929e57befb00ec01332d644b59036fd62ec37d1a6796ef6098c2
Opcode Fuzzy Hash: fce009268e59b9931058722dc5a9f9875b7ce524168603a552c6689a6580f6cf
Instruction Fuzzy Hash: FC226A716083019FCB24EF64C891B6EB7E4EF88714F14491DF49A97291DB71EA04CBB2

Function 00DFF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DFF151
Process32FirstW.KERNEL32(00000000,?), ref: 00DFF15F

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Process32NextW.KERNEL32(00000000,?), ref: 00DFF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00DFF22E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: c720665f81fa2cf25a1bb0c06a7acbf3056ea8f4e454e2f7f8879068a9779f5d
Instruction ID: 9515e44f76daa204a953801b73624e12cc981162c8d780178427b5a2066c2ff1
Opcode Fuzzy Hash: c720665f81fa2cf25a1bb0c06a7acbf3056ea8f4e454e2f7f8879068a9779f5d
Instruction Fuzzy Hash: 2E516B71504304AFD314EF24DC85A6BBBE8EF94710F54482DF596972A1EB70E908CBB2

Function 00DE40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DE40D1
_memset.LIBCMT ref: 00DE40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00DE4144
CloseHandle.KERNEL32(00000000), ref: 00DE414D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: cc61be8e7abe1e80e341a07644ab98608ac9ff14b1052f14478a95a992e9e0d0
Instruction ID: f31da3f75284c471027f389a24da1939cbf10786752a4e4963bf9f127a5ee787
Opcode Fuzzy Hash: cc61be8e7abe1e80e341a07644ab98608ac9ff14b1052f14478a95a992e9e0d0
Instruction Fuzzy Hash: 6D11CD759013287AD7309BA69C4DFABBB7CEF45760F1041A6F908E7190D6744E84CBB4

Function 00DDEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00DDEB19

Strings

|, xrefs: 00DDEB49
(, xrefs: 00DDEB5F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9b5473e021f1143922f07ab5b780e35ea90f11c1e4907e6bd53f67b76d5de70a
Instruction ID: e5d03150d64020d0cd1056adc9d4be4821577a3d51e6b75a503f864ebe99a81f
Opcode Fuzzy Hash: 9b5473e021f1143922f07ab5b780e35ea90f11c1e4907e6bd53f67b76d5de70a
Instruction Fuzzy Hash: E1323675A007059FD728DF29C481A6AB7F1FF48310B15C56EE89ADB3A1E770E941CB50

Function 00DF25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00DF26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00DF270C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 011358410682b73bd0d889fb199519c8b1c728f8a01fd42cb9b36854928a3610
Instruction ID: 354a4916f403d9079b307402a26d028f5e4cb2c0590d43a01d84a82961bfb4b1
Opcode Fuzzy Hash: 011358410682b73bd0d889fb199519c8b1c728f8a01fd42cb9b36854928a3610
Instruction Fuzzy Hash: 7341D47550020DBFEB20DF54DC85EBBB7BCEB40724F15806AFB41E6140EAB19E419675

Function 00DEB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DEB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DEB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DEB655

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d52c83220351d1bb194350e0422d9337ce13cfe049a3d3a63a89b9492cf15880
Instruction ID: 40e6e0f2d28d83cb6cfe9a47ee0465c499123a35022e18e5087ac119d9f2038a
Opcode Fuzzy Hash: d52c83220351d1bb194350e0422d9337ce13cfe049a3d3a63a89b9492cf15880
Instruction Fuzzy Hash: 72214435A00518EFCB00EFA5D894EADFBB8FF48310F1480A9E945AB351DB31A955CF61

Function 00DD8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DA0FF6: std::exception::exception.LIBCMT ref: 00DA102C
Part of subcall function 00DA0FF6: __CxxThrowException@8.LIBCMT ref: 00DA1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DD8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DD8D3A
GetLastError.KERNEL32 ref: 00DD8D47

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 1092608eb9213149b7be0ffdfa1ab3ea452893904fd6e035ad02174f65718ec9
Instruction ID: 8375a389c3abbe4fa0562d66e4a14baefc4f770aa7166a701f1b26dd62832af2
Opcode Fuzzy Hash: 1092608eb9213149b7be0ffdfa1ab3ea452893904fd6e035ad02174f65718ec9
Instruction Fuzzy Hash: C9118FB1414209AFE7289F58DC85D6BB7BDEB44710B24852EF45693641EF71BC448A70

Function 00DE4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DE4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DE4C43
FreeSid.ADVAPI32(?), ref: 00DE4C53

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fd1a6eca82697dd7d5a2dd2542348144b2e2846a6351625aae10c685d77c9ed4
Instruction ID: 78d4532c17fcf4a1dc63d4f3091e1312e8a76cc905ac74f76dbbcb388d45bea9
Opcode Fuzzy Hash: fd1a6eca82697dd7d5a2dd2542348144b2e2846a6351625aae10c685d77c9ed4
Instruction Fuzzy Hash: 89F04975A1130DBFDF04DFF1DC89AAEBBBCEF08301F1044A9E901E2581E6756A588B50

Function 00DE8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00DE8B25

Part of subcall function 00DA543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DE91F8,00000000,?,?,?,?,00DE93A9,00000000,?), ref: 00DA5443
Part of subcall function 00DA543A: __aulldiv.LIBCMT ref: 00DA5463

Strings

0u, xrefs: 00DE8B1C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: 1b8a222d443dabfc66fbd233e5cd8a442e36a6ba3d2febe6c6c596adca1350c3
Instruction ID: c59a42c0597f4d804266f660ce4b5010e4656fcbcdef27915e29f206665d7366
Opcode Fuzzy Hash: 1b8a222d443dabfc66fbd233e5cd8a442e36a6ba3d2febe6c6c596adca1350c3
Instruction Fuzzy Hash: 4221E4726356108FC329CF26D441A52B3E1EBA5321B288E6CD0E9CF2D0CA74B905DBA4

Function 00D8E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc7b2a738965b9de22de8f309fa22a4de77f443348cf72cf952f5376ec0c55f
Instruction ID: 78bbfc69e9652c1612cd753294e13ab0505a03bdc2bcdf659e760526d2d0e093
Opcode Fuzzy Hash: 1cc7b2a738965b9de22de8f309fa22a4de77f443348cf72cf952f5376ec0c55f
Instruction Fuzzy Hash: 95228C74A00216DFDB24EF58C484AAEB7B1FF09300F188569E896AB351D774ED85CFA1

Function 00DEC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DEC966
FindClose.KERNEL32(00000000), ref: 00DEC996

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2ca454ac1cf50e596872192b30e394f9d9691a809e0c022bbdd575252ca6206b
Instruction ID: 6362a933e69ec57e07776e9e34cefde3ff4c9cfbb3eecfd90ef456d3e9cf8bd3
Opcode Fuzzy Hash: 2ca454ac1cf50e596872192b30e394f9d9691a809e0c022bbdd575252ca6206b
Instruction Fuzzy Hash: 1B118E326102009FD710EF29C855A2AF7E9EF84324F04851EF8AAD72A1DB30AC05CBA1

Function 00DEA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00DF977D,?,00E0FB84,?), ref: 00DEA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00DF977D,?,00E0FB84,?), ref: 00DEA314

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: efd4d66114c5c44ba1a2d646b18370ded057149f91a29b678f6921b39372e2b2
Instruction ID: 9f0b3ba996a67f438e37efd08a6ca7f745f7ee04f3d40ec4ac388decdee1da57
Opcode Fuzzy Hash: efd4d66114c5c44ba1a2d646b18370ded057149f91a29b678f6921b39372e2b2
Instruction Fuzzy Hash: 5DF0E23510422DABDB20AFA5CC48FEA736CFF08361F004166F908D2180D630A944CBB1

Function 00DD8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DD8851), ref: 00DD8728
CloseHandle.KERNEL32(?,?,00DD8851), ref: 00DD873A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 6c6056758622d68f3908cd84521c87e860f40c7fe50788b207496c22c0d5eb2a
Instruction ID: 666ee90d3e6322153ada78f337e93931929b353c573c4dc7abb9962d963120e8
Opcode Fuzzy Hash: 6c6056758622d68f3908cd84521c87e860f40c7fe50788b207496c22c0d5eb2a
Instruction Fuzzy Hash: 56E0BF75010610EEE7352B61EC05D7777A9EB04751B258429F46680470DB625CD0DB20

Function 00DAA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00DA8F97,?,?,?,00000001), ref: 00DAA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DAA3A3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: bc0fb8dde9a5e7f80fff3eadb00b4b72ee8377f77d84ab69f23fa1557b664919
Instruction ID: f741eb8f8468dcc91212752239689d7a8940dea2e9733200af440c18222824ff
Opcode Fuzzy Hash: bc0fb8dde9a5e7f80fff3eadb00b4b72ee8377f77d84ab69f23fa1557b664919
Instruction Fuzzy Hash: 1DB09231058208AFCA102B92EC09B883F68EB45AB2F404020F60D94860CB6754A48A91

Function 00DAF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b31cc27ead25b2bbc1c3420859bbfbf1ad6221cb40fdbebba082219aca56cd
Instruction ID: 844e91cdce2b3833f45b9b4b59ecae384cb737b156afb4f5747a19a816900ffe
Opcode Fuzzy Hash: b8b31cc27ead25b2bbc1c3420859bbfbf1ad6221cb40fdbebba082219aca56cd
Instruction Fuzzy Hash: 0D325472D69F014DD7239A35C872336A299AFB73D4F14D737F81AB5AA6EB28C4834110

Function 00DB267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017b3dadd5a3fe463f246dd73105f26a41a1a02d7c2c9b49c11cf5993387f55a
Instruction ID: 2715af1363fb268fdae37ce0afc1ebcb02a3f51bf01acd069e7c142f59f05568
Opcode Fuzzy Hash: 017b3dadd5a3fe463f246dd73105f26a41a1a02d7c2c9b49c11cf5993387f55a
Instruction Fuzzy Hash: 2DB1E031D2AF414DD2239A3A8831336B68CAFBB2D5F55D72BFC2674D22EB2185874141

Function 00DF41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00DF4218

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fe029843839e356a701684cdb7d226b460c2f912c73b04e3413a4a3f85fc0e6b
Instruction ID: 0e914ac25768d2b725b6b17aac6fb6cf7ad188e9b16b5cffc5f2ec73f3c7b1c6
Opcode Fuzzy Hash: fe029843839e356a701684cdb7d226b460c2f912c73b04e3413a4a3f85fc0e6b
Instruction Fuzzy Hash: 4CE012312401146FC710AF59D844A6AF7D8EF94760F058025F989D7351DA71E8408BB0

Function 00DE4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00DE4EEC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 990b6a0b4edc891082701e6d72ea1d6fe8bb15e1162486ae76261678a2d1d1ad
Instruction ID: 5b700ddbdc371fa073b52ccf94feb1034fc25a0fc184327f7fda8df4becdc417
Opcode Fuzzy Hash: 990b6a0b4edc891082701e6d72ea1d6fe8bb15e1162486ae76261678a2d1d1ad
Instruction Fuzzy Hash: 66D05E9816078439EC286B239C5FF7B0208F300F81FD8414AB542994C1D8D0AC545030

Function 00DD8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00DD88D1), ref: 00DD8CB3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 96a93d5a7da91f56113a4bc6cfb58948bdc8fd92eebdd9d120c4542cd7d0d9d0
Instruction ID: 29b3f27ab5d9f5703af56198b3eee58a73b2acfbe3b5009880d5f98f5fa79e45
Opcode Fuzzy Hash: 96a93d5a7da91f56113a4bc6cfb58948bdc8fd92eebdd9d120c4542cd7d0d9d0
Instruction Fuzzy Hash: 6DD05E3226050EAFEF018EA4DC01EAF3B69EB04B01F408111FE15D50A1C776D835AB60

Function 00DC2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00DC2242

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d6a2753695502e29fb477c36c4554d65cd1d4a29c3b3ff08ac90b76963b9fa7f
Instruction ID: 80cdb28efab532dcd13083d83bfb5d08afd560eda3f3fd9ceb2f4a9f204012f1
Opcode Fuzzy Hash: d6a2753695502e29fb477c36c4554d65cd1d4a29c3b3ff08ac90b76963b9fa7f
Instruction Fuzzy Hash: ECC04CF5C00119DBDB15DB90DA88DEE77BCAB05304F204055E141F2101D7749B488E71

Function 00DAA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DAA36A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f85f29cbf90ea9de5783b21d663ba9ae1c0e1121f8c005d3cffcd19905945fb5
Instruction ID: 5148423939c4e63fcea8c96dc6a8a2ce33f5af1cfaf2d015011c81df992b794b
Opcode Fuzzy Hash: f85f29cbf90ea9de5783b21d663ba9ae1c0e1121f8c005d3cffcd19905945fb5
Instruction Fuzzy Hash: AEA0113000820CABCA002B82EC08888BFACEB002A0B008020F80C808228B33A8A08A80

Function 00D98A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd48f29f439503e75bc95b7c98db942acc7ff02f024914c2956ac66f0d28cf
Instruction ID: 94197a011c22cbb5c2e13635d354accc04e72affefd361f41bd7d1a7def80060
Opcode Fuzzy Hash: 26fd48f29f439503e75bc95b7c98db942acc7ff02f024914c2956ac66f0d28cf
Instruction Fuzzy Hash: 09222730905616CBDF289F28D49467D77A1EB43704F6C486BD882AB395DB34DD81EB70

Function 00DA2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: c5ce5f2b27c7de585d56802393de6d31e721df15864120dd63d10170eed35ec9
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: C8C17F372050A30ADB6D863E947413EBAE16EA37B131E075DE8B2CB5C4EF20D564E630

Function 00DA283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: f904efb6c4899a6040d4ee9a0ae06c43f54ef84f21ab53e03129ca2a8b2eb12a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 01C18D372091A30ADB6D463E847403EBBE15EA37B131E0B6DE4B2DB5D4EF20D524A630

Function 00DA1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: c3f4464e5bdb80f3d3cd0cc0cd1805f8f85bea67bbd08140221c1b9e73ad9990
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 2EC15F3B2091A30DDF6D463A943413EBAE15EA37B1B1E0B6DE4B2CB5D4EF20D5649630

Function 00E037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E0F910), ref: 00E038AF
IsWindowVisible.USER32(?), ref: 00E038D3

Strings

CURRENTTAB, xrefs: 00E03945
FINDSTRING, xrefs: 00E039FE
ISVISIBLE, xrefs: 00E038BF
GETLINECOUNT, xrefs: 00E03B4E
TABLEFT, xrefs: 00E0390F
GETCURRENTSELECTION, xrefs: 00E03A6B
EDITPASTE, xrefs: 00E03BE7
GETSELECTED, xrefs: 00E03B2B
SELECTSTRING, xrefs: 00E03A8E
DELSTRING, xrefs: 00E039D1
ADDSTRING, xrefs: 00E0399E
SHOWDROPDOWN, xrefs: 00E03968
SENDCOMMANDID, xrefs: 00E03C62
SETCURRENTSELECTION, xrefs: 00E03A3E
ISENABLED, xrefs: 00E038F3
HIDEDROPDOWN, xrefs: 00E03988
GETCURRENTCOL, xrefs: 00E03BB0
GETLINE, xrefs: 00E03C23
GETCURRENTLINE, xrefs: 00E03B75
ISCHECKED, xrefs: 00E03AC1
TABRIGHT, xrefs: 00E03925
UNCHECK, xrefs: 00E03B0B
CHECK, xrefs: 00E03AF5

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: a76239beabfba5262f003ba4fc87f943c90b7fead7b2aef303ff57009a8a60c4
Instruction ID: d07a0a206e0dde578bea3b286d3e34ab455d68a630b703a0d21cdbcaeb719eaa
Opcode Fuzzy Hash: a76239beabfba5262f003ba4fc87f943c90b7fead7b2aef303ff57009a8a60c4
Instruction Fuzzy Hash: A9D177302043059FCB14EF20C495A6ABBA9EF95344F145459F8867B7E2DB31EE8ACB71

Function 00E0A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E0A89F
GetSysColorBrush.USER32(0000000F), ref: 00E0A8D0
GetSysColor.USER32(0000000F), ref: 00E0A8DC
SetBkColor.GDI32(?,000000FF), ref: 00E0A8F6
SelectObject.GDI32(?,?), ref: 00E0A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00E0A930
GetSysColor.USER32(00000010), ref: 00E0A938
CreateSolidBrush.GDI32(00000000), ref: 00E0A93F
FrameRect.USER32(?,?,00000000), ref: 00E0A94E
DeleteObject.GDI32(00000000), ref: 00E0A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00E0A9A0
FillRect.USER32(?,?,?), ref: 00E0A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00E0A9FD

Part of subcall function 00E0AB60: GetSysColor.USER32(00000012), ref: 00E0AB99
Part of subcall function 00E0AB60: SetTextColor.GDI32(?,?), ref: 00E0AB9D
Part of subcall function 00E0AB60: GetSysColorBrush.USER32(0000000F), ref: 00E0ABB3
Part of subcall function 00E0AB60: GetSysColor.USER32(0000000F), ref: 00E0ABBE
Part of subcall function 00E0AB60: GetSysColor.USER32(00000011), ref: 00E0ABDB
Part of subcall function 00E0AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E0ABE9
Part of subcall function 00E0AB60: SelectObject.GDI32(?,00000000), ref: 00E0ABFA
Part of subcall function 00E0AB60: SetBkColor.GDI32(?,00000000), ref: 00E0AC03
Part of subcall function 00E0AB60: SelectObject.GDI32(?,?), ref: 00E0AC10
Part of subcall function 00E0AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E0AC2F
Part of subcall function 00E0AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E0AC46
Part of subcall function 00E0AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E0AC5B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ba880e79e8840ebd68144682d23565e92538383fe1808a62ac5b01ba0f5b81fc
Instruction ID: 384af4744ff28a1c68729bb1778d01a6b4f69b93deecb0545d8a39f10295d39d
Opcode Fuzzy Hash: ba880e79e8840ebd68144682d23565e92538383fe1808a62ac5b01ba0f5b81fc
Instruction Fuzzy Hash: 43A1C272108305AFD7209F65DC08E5B7BA9FF89320F145A29F962A61E1C732D898CB52

Function 00D82C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00D82CA2
DeleteObject.GDI32(00000000), ref: 00D82CE8
DeleteObject.GDI32(00000000), ref: 00D82CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00D82CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00D82D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00DBC68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00DBC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00DBCAED

Part of subcall function 00D81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D82036,?,00000000,?,?,?,?,00D816CB,00000000,?), ref: 00D81B9A

SendMessageW.USER32(?,00001053), ref: 00DBCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00DBCB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DBCB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00DBCB62

Strings

0, xrefs: 00DBC981

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: c14127d6929ce8ac2ec3578fbeece618bedefc16c8003306ae3bf8f44d7f9149
Instruction ID: 9b47b9e4ed0c94f385cd2ff9b20730b88208e63753efb28e0a94fae65091a17f
Opcode Fuzzy Hash: c14127d6929ce8ac2ec3578fbeece618bedefc16c8003306ae3bf8f44d7f9149
Instruction Fuzzy Hash: D3129B30610201EFDB20DF24C884BB9B7E5FF45301F585569E886DB662CB32E896CBB1

Function 00DF77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00DF77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DF78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00DF78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00DF7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00DF7946
GetClientRect.USER32(00000000,?), ref: 00DF7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00DF7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DF79A5
GetStockObject.GDI32(00000011), ref: 00DF79B5
SelectObject.GDI32(00000000,00000000), ref: 00DF79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00DF79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DF79D2
DeleteDC.GDI32(00000000), ref: 00DF79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DF7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00DF7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00DF7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DF7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00DF7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00DF7AAE
GetStockObject.GDI32(00000011), ref: 00DF7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DF7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00DF7ACE

Strings

static, xrefs: 00DF7990, 00DF7AA8
DISPLAY, xrefs: 00DF799B
msctls_progress32, xrefs: 00DF7A4F
AutoIt v3, xrefs: 00DF793E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 664420aa896184bd32948bf2689cb56df9c2c1f39609fa3fe3ecb098faaf74fc
Instruction ID: f8065c6cd7f0fe4a1f8d65a983c5f837ac95c3ba5ae6880f864c9baa10aef502
Opcode Fuzzy Hash: 664420aa896184bd32948bf2689cb56df9c2c1f39609fa3fe3ecb098faaf74fc
Instruction Fuzzy Hash: A9A19F71A00209BFEB14DBA5DC4AFBABBA9EB45710F048114FA14B72E0C7B1AD55CB64

Function 00DEAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DEAF89
GetDriveTypeW.KERNEL32(?,00E0FAC0,?,\\.\,00E0F910), ref: 00DEB066
SetErrorMode.KERNEL32(00000000,00E0FAC0,?,\\.\,00E0F910), ref: 00DEB1C4

Strings

USB, xrefs: 00DEB15B
SAS, xrefs: 00DEB170
PhysicalDrive, xrefs: 00DEB012
RAMDisk, xrefs: 00DEB090
SSD, xrefs: 00DEB0F1
Network, xrefs: 00DEB0A4
ATAPI, xrefs: 00DEB138
Removable, xrefs: 00DEB0B8
Fixed, xrefs: 00DEB0AE
Fibre, xrefs: 00DEB154
RAID, xrefs: 00DEB162
ATA, xrefs: 00DEB13F
Unknown, xrefs: 00DEB086, 00DEB12A
iSCSI, xrefs: 00DEB169
SCSI, xrefs: 00DEB131
\\.\, xrefs: 00DEAFDB
1394, xrefs: 00DEB146
Virtual, xrefs: 00DEB18C
SATA, xrefs: 00DEB177
MMC, xrefs: 00DEB185
SSA, xrefs: 00DEB14D
FileBackedVirtual, xrefs: 00DEB193
CDROM, xrefs: 00DEB09A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c2c971bce7187d52b6e66bc16e72b4517740c52aaa23fadc8a7c9154ba365270
Instruction ID: 64bf1a3c9343be951b0b30c958f70a17e25a8eae19157925df216238e9d00e91
Opcode Fuzzy Hash: c2c971bce7187d52b6e66bc16e72b4517740c52aaa23fadc8a7c9154ba365270
Instruction Fuzzy Hash: DF519F30680385AA8B10FF12C9A687A77B0EB54371B285027E48AB7290C775FD81CB72

Function 00D86A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D86A91
__wcsnicmp.LIBCMT ref: 00D86AA9
__wcsnicmp.LIBCMT ref: 00D86AC1
__wcsnicmp.LIBCMT ref: 00D86AD9
__wcsnicmp.LIBCMT ref: 00D86AF1
__wcsnicmp.LIBCMT ref: 00D86B09
__wcsnicmp.LIBCMT ref: 00D86B21
__wcsnicmp.LIBCMT ref: 00D86B35
__wcsnicmp.LIBCMT ref: 00D86B76
__wcsnicmp.LIBCMT ref: 00D86B8A
__wcsnicmp.LIBCMT ref: 00D86B9E
__wcsnicmp.LIBCMT ref: 00D86BB2

Strings

#include-once, xrefs: 00D86AEB
#comments-start, xrefs: 00D86B1B, 00D86B70
#cs, xrefs: 00D86B2F, 00D86B84
Unterminated group of comments, xrefs: 00DBE82C
#comments-end, xrefs: 00D86B98
#OnAutoItStartRegister, xrefs: 00D86AD3
#requireadmin, xrefs: 00D86ABB
#pragma compile, xrefs: 00D86A8B
Bad directive syntax error, xrefs: 00DBE743
#ce, xrefs: 00D86BAC
#include, xrefs: 00D86B03
Cannot parse #include, xrefs: 00DBE819
#notrayicon, xrefs: 00D86AA3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 77d0667607be5909a8a4c1d90adae890e4e814c217e6b2fb18373c16963a8aeb
Instruction ID: c759306eb1f750ac1a45a2a7dbe559671d97849aba8c86f8bc8eb5936d0a2764
Opcode Fuzzy Hash: 77d0667607be5909a8a4c1d90adae890e4e814c217e6b2fb18373c16963a8aeb
Instruction Fuzzy Hash: 0E81E671640315ABCB24BB60DC83FEA7769EF16710F184025FA46AB1C6EB60EA51C771

Function 00E0AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E0AB99
SetTextColor.GDI32(?,?), ref: 00E0AB9D
GetSysColorBrush.USER32(0000000F), ref: 00E0ABB3
GetSysColor.USER32(0000000F), ref: 00E0ABBE
CreateSolidBrush.GDI32(?), ref: 00E0ABC3
GetSysColor.USER32(00000011), ref: 00E0ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E0ABE9
SelectObject.GDI32(?,00000000), ref: 00E0ABFA
SetBkColor.GDI32(?,00000000), ref: 00E0AC03
SelectObject.GDI32(?,?), ref: 00E0AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00E0AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E0AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00E0AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E0ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E0ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00E0ACEC
DrawFocusRect.USER32(?,?), ref: 00E0ACF7
GetSysColor.USER32(00000011), ref: 00E0AD05
SetTextColor.GDI32(?,00000000), ref: 00E0AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E0AD21
SelectObject.GDI32(?,00E0A869), ref: 00E0AD38
DeleteObject.GDI32(?), ref: 00E0AD43
SelectObject.GDI32(?,?), ref: 00E0AD49
DeleteObject.GDI32(?), ref: 00E0AD4E
SetTextColor.GDI32(?,?), ref: 00E0AD54
SetBkColor.GDI32(?,?), ref: 00E0AD5E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6673108e411899f71d2478cdd4c7b1e54c088c678621b05a6e7f22123493a0c2
Instruction ID: c0957c5593e17eafa5d433ee4d2842c3c2af0414baa90a0c348b21e6b1e1dd4c
Opcode Fuzzy Hash: 6673108e411899f71d2478cdd4c7b1e54c088c678621b05a6e7f22123493a0c2
Instruction Fuzzy Hash: 10616D71901218EFDF219FA5DC48EAEBB79EB08320F158125F911BB2E1D6729D90DF90

Function 00E08C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E08D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E08D45
CharNextW.USER32(0000014E), ref: 00E08D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E08DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E08DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E08DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E08DF9
SetWindowTextW.USER32(?,0000014E), ref: 00E08E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E08E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E08E8C
_memset.LIBCMT ref: 00E08EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E08EFA
_memset.LIBCMT ref: 00E08F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E08F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E08FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00E09088
InvalidateRect.USER32(?,00000000,00000001), ref: 00E090AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E090F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E09121
DrawMenuBar.USER32(?), ref: 00E09130
SetWindowTextW.USER32(?,0000014E), ref: 00E09158

Strings

0, xrefs: 00E090C2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: a6f41e420f892e40561c8dc5436dcfc95c5629d0df9a21814906b831c5b28a14
Instruction ID: 492fb2f4682898121345027efefea92ca8cd20a3fa81985120d6cc6b5737b384
Opcode Fuzzy Hash: a6f41e420f892e40561c8dc5436dcfc95c5629d0df9a21814906b831c5b28a14
Instruction Fuzzy Hash: 97E1AE70901209AFDF209F61CC88AEEBBB9EF05314F009256F955BA2D1DB718AC5DF61

Function 00E04B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E04C51
GetDesktopWindow.USER32 ref: 00E04C66
GetWindowRect.USER32(00000000), ref: 00E04C6D
GetWindowLongW.USER32(?,000000F0), ref: 00E04CCF
DestroyWindow.USER32(?), ref: 00E04CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E04D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E04D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E04D68
SendMessageW.USER32(?,00000421,?,?), ref: 00E04D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E04D90
IsWindowVisible.USER32(?), ref: 00E04DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E04DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E04DDF
GetWindowRect.USER32(?,?), ref: 00E04DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00E04E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00E04E37
CopyRect.USER32(?,?), ref: 00E04E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00E04EB9

Strings

tooltips_class32, xrefs: 00E04D1D
0, xrefs: 00E04BFC
(, xrefs: 00E04E2A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8bb7b6d7459f5419ca26fea6159ccdf416f060184748db8a87a8b6002d1aaa9f
Instruction ID: 34ac0df0654f83c7a95d82849cdb28df29006832f7d8f488104f92ac7f1a15c9
Opcode Fuzzy Hash: 8bb7b6d7459f5419ca26fea6159ccdf416f060184748db8a87a8b6002d1aaa9f
Instruction Fuzzy Hash: 52B169B1604340AFDB14DF65C984B6ABBE4FB84314F00891CF699AB2E1DB71E845CBA1

Function 00D827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D828BC
GetSystemMetrics.USER32(00000007), ref: 00D828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D828EF
GetSystemMetrics.USER32(00000008), ref: 00D828F7
GetSystemMetrics.USER32(00000004), ref: 00D8291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D82939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D82949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D8297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D82990
GetClientRect.USER32(00000000,000000FF), ref: 00D829AE
GetStockObject.GDI32(00000011), ref: 00D829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D829D5

Part of subcall function 00D82344: GetCursorPos.USER32(?), ref: 00D82357
Part of subcall function 00D82344: ScreenToClient.USER32(00E467B0,?), ref: 00D82374
Part of subcall function 00D82344: GetAsyncKeyState.USER32(00000001), ref: 00D82399
Part of subcall function 00D82344: GetAsyncKeyState.USER32(00000002), ref: 00D823A7

SetTimer.USER32(00000000,00000000,00000028,00D81256), ref: 00D829FC

Strings

AutoIt v3 GUI, xrefs: 00D82974

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 714cdb98ee5da87e61a8ff4781d1fd7c8265fee9289e3cbc6fe07b101e58b075
Instruction ID: 58d579b458c1ad54b5f5143faeb618a8c718eb81232c32d345117f020e9abbef
Opcode Fuzzy Hash: 714cdb98ee5da87e61a8ff4781d1fd7c8265fee9289e3cbc6fe07b101e58b075
Instruction Fuzzy Hash: E1B18E71A0020AEFDB14EFA9DC45BEE7BB4FB08711F104129FA16A7290CB70E855CB61

Function 00E04069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E040F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E041B6

Strings

SELECT, xrefs: 00E04250
ISSELECTED, xrefs: 00E041C1
GETSELECTEDCOUNT, xrefs: 00E04199
GETSELECTED, xrefs: 00E042E4
GETSUBITEMCOUNT, xrefs: 00E04141
FINDITEM, xrefs: 00E04329
DESELECT, xrefs: 00E042A4
VIEWCHANGE, xrefs: 00E04375
SELECTCLEAR, xrefs: 00E04235
SELECTALL, xrefs: 00E0421D
GETITEMCOUNT, xrefs: 00E04128
SELECTINVERT, xrefs: 00E04286
GETTEXT, xrefs: 00E0415F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 8a3f54f335c1f86045bc27dd24887678bdca2fb28256f690906c2e755d8471fe
Instruction ID: 01d79df25126a54dc7929635410e5fae1525f5acf46ca6447c8042bf7181918c
Opcode Fuzzy Hash: 8a3f54f335c1f86045bc27dd24887678bdca2fb28256f690906c2e755d8471fe
Instruction Fuzzy Hash: 8CA190B02142019BCB14FF20C992A7AB7A5EF84314F146968B9966B7D2DB31EC45CB71

Function 00DF52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00DF5309
LoadCursorW.USER32(00000000,00007F8A), ref: 00DF5314
LoadCursorW.USER32(00000000,00007F00), ref: 00DF531F
LoadCursorW.USER32(00000000,00007F03), ref: 00DF532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00DF5335
LoadCursorW.USER32(00000000,00007F01), ref: 00DF5340
LoadCursorW.USER32(00000000,00007F81), ref: 00DF534B
LoadCursorW.USER32(00000000,00007F88), ref: 00DF5356
LoadCursorW.USER32(00000000,00007F80), ref: 00DF5361
LoadCursorW.USER32(00000000,00007F86), ref: 00DF536C
LoadCursorW.USER32(00000000,00007F83), ref: 00DF5377
LoadCursorW.USER32(00000000,00007F85), ref: 00DF5382
LoadCursorW.USER32(00000000,00007F82), ref: 00DF538D
LoadCursorW.USER32(00000000,00007F84), ref: 00DF5398
LoadCursorW.USER32(00000000,00007F04), ref: 00DF53A3
LoadCursorW.USER32(00000000,00007F02), ref: 00DF53AE
GetCursorInfo.USER32(?), ref: 00DF53BE
GetLastError.KERNEL32(00000001,00000000), ref: 00DF53E9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 3acca2669ae37af60ae1c179b3b094feccca80301d5a9d459edc5588a5eed135
Instruction ID: 51e37924017752cb7546b36b3d6aefc013c785d7e3635070a5c9a31d1d45a1b6
Opcode Fuzzy Hash: 3acca2669ae37af60ae1c179b3b094feccca80301d5a9d459edc5588a5eed135
Instruction Fuzzy Hash: C0418770E043196ADB109FB69C4986FFFF8EF51710B14452FE609E7290DAB89400CE61

Function 00DDAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DDAAA5
__swprintf.LIBCMT ref: 00DDAB46
_wcscmp.LIBCMT ref: 00DDAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00DDABAE
_wcscmp.LIBCMT ref: 00DDABEA
GetClassNameW.USER32(?,?,00000400), ref: 00DDAC21
GetDlgCtrlID.USER32(?), ref: 00DDAC73
GetWindowRect.USER32(?,?), ref: 00DDACA9
GetParent.USER32(?), ref: 00DDACC7
ScreenToClient.USER32(00000000), ref: 00DDACCE
GetClassNameW.USER32(?,?,00000100), ref: 00DDAD48
_wcscmp.LIBCMT ref: 00DDAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00DDAD82
_wcscmp.LIBCMT ref: 00DDAD96

Part of subcall function 00DA386C: _iswctype.LIBCMT ref: 00DA3874

Strings

%s%u, xrefs: 00DDAB40

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: cb20824fbd219c6ca1a130de2de8bb61b2816cfa769bf8d76f9471dcef1efc36
Instruction ID: 2c0511386b0169fcffb92bb018987284bbd2e187ce459bf7a419872e35254b46
Opcode Fuzzy Hash: cb20824fbd219c6ca1a130de2de8bb61b2816cfa769bf8d76f9471dcef1efc36
Instruction Fuzzy Hash: DDA1E571204706AFDB14DF28C884FAAB7E9FF04315F14862AF999D2650E730E955CBB2

Function 00DDB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00DDB3DB
_wcscmp.LIBCMT ref: 00DDB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00DDB414
CharUpperBuffW.USER32(?,00000000), ref: 00DDB431
_wcscmp.LIBCMT ref: 00DDB44F
_wcsstr.LIBCMT ref: 00DDB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00DDB498
_wcscmp.LIBCMT ref: 00DDB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00DDB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00DDB518
_wcscmp.LIBCMT ref: 00DDB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00DDB550
GetWindowRect.USER32(00000004,?), ref: 00DDB5B9

Strings

@, xrefs: 00DDB3BC
ThumbnailClass, xrefs: 00DDB4A3, 00DDB523

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 348ba33631521b4391de128d068b26e7ba6738538ecd8c442d16084a6af524cf
Instruction ID: 7ded7d13f038c7a829333c80bc348b0fec09c293a42af72fadef57a00851ffe1
Opcode Fuzzy Hash: 348ba33631521b4391de128d068b26e7ba6738538ecd8c442d16084a6af524cf
Instruction Fuzzy Hash: 1A818C71008205DBDB14DF11D885FAA7BE8EF44728F08856BFD859A292DB30ED49CBB1

Function 00E0C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

DragQueryPoint.SHELL32(?,?), ref: 00E0C917

Part of subcall function 00E0ADF1: ClientToScreen.USER32(?,?), ref: 00E0AE1A
Part of subcall function 00E0ADF1: GetWindowRect.USER32(?,?), ref: 00E0AE90
Part of subcall function 00E0ADF1: PtInRect.USER32(?,?,00E0C304), ref: 00E0AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00E0C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E0C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E0C9AE
_wcscat.LIBCMT ref: 00E0C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E0C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00E0CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E0CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00E0CA47
DragFinish.SHELL32(?), ref: 00E0CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E0CB41

Strings

@GUI_DRAGFILE, xrefs: 00E0CAF0
@GUI_DROPID, xrefs: 00E0CA6E
@GUI_DRAGID, xrefs: 00E0CAB9
pr, xrefs: 00E0CA8B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 169749273-2073472848
Opcode ID: 5421a9fdea4befa7638ad8197d85b9224c6af4f4d34d5caf81b496b780a48717
Instruction ID: bba949820b9f6e9eb1f1ad7118a8cfe810bb9be7b987adde7c681229ca765a40
Opcode Fuzzy Hash: 5421a9fdea4befa7638ad8197d85b9224c6af4f4d34d5caf81b496b780a48717
Instruction Fuzzy Hash: 87618D71108300AFC715EF61DC85D9FBBE8EF89710F400A2DF592A21A1DB719A49CB62

Function 00DDB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00DDB23F

Strings

CLASSNAME=, xrefs: 00DDB27C
ACTIVE, xrefs: 00DDB21A
[REGEXPTITLE:, xrefs: 00DDB267
[LAST, xrefs: 00DDB2EC
ALL, xrefs: 00DDB2D3
[ACTIVE, xrefs: 00DDB22C
[HANDLE:, xrefs: 00DDB24B
HANDLE=, xrefs: 00DDB238
[CLASS:, xrefs: 00DDB28F
LAST, xrefs: 00DDB204
REGEXP=, xrefs: 00DDB254
[ALL, xrefs: 00DDB2E5

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: a9ed76d1dcb3e36ea6cc1d21d719098c434c3d14ace23a9f7007716ef9131490
Instruction ID: c1d683f610b92fe40add09ea3facb31f5fb37054b3c6590635c3178816c657f2
Opcode Fuzzy Hash: a9ed76d1dcb3e36ea6cc1d21d719098c434c3d14ace23a9f7007716ef9131490
Instruction Fuzzy Hash: 2A318D32A48305E6DB14FA60CD87EEE7FA9DF14764F64002BB441711D6EFA1AE04C6B5

Function 00DDC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00DDC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DDC4E6
SetWindowTextW.USER32(?,?), ref: 00DDC4FD
GetDlgItem.USER32(?,000003EA), ref: 00DDC512
SetWindowTextW.USER32(00000000,?), ref: 00DDC518
GetDlgItem.USER32(?,000003E9), ref: 00DDC528
SetWindowTextW.USER32(00000000,?), ref: 00DDC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DDC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DDC569
GetWindowRect.USER32(?,?), ref: 00DDC572
SetWindowTextW.USER32(?,?), ref: 00DDC5DD
GetDesktopWindow.USER32 ref: 00DDC5E3
GetWindowRect.USER32(00000000), ref: 00DDC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00DDC636
GetClientRect.USER32(?,?), ref: 00DDC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00DDC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DDC693

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 2f9970ec0f06815f5336b16d925faec0c887b9624973da20bcb8a51b16c4c1a7
Instruction ID: 447596603ef7f96caa615a1d2bd454d0cac4f6cba89433aaf22f42be4eb1200a
Opcode Fuzzy Hash: 2f9970ec0f06815f5336b16d925faec0c887b9624973da20bcb8a51b16c4c1a7
Instruction Fuzzy Hash: 26517F7090070AAFDB20DFA9DD85B6EBBF5FF04705F044929E682A26A0C775F954CB60

Function 00E0A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E0A4C8
DestroyWindow.USER32(?,?), ref: 00E0A542

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E0A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E0A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E0A5F1
DestroyWindow.USER32(00000000), ref: 00E0A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D80000,00000000), ref: 00E0A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E0A663
GetDesktopWindow.USER32 ref: 00E0A67C
GetWindowRect.USER32(00000000), ref: 00E0A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E0A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E0A6B3

Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC

Strings

tooltips_class32, xrefs: 00E0A5B5, 00E0A643
0, xrefs: 00E0A4DE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: eec614b6b14214d858ac7078202175df64e762d4b48105500f920db9a590c32d
Instruction ID: 8ba37e2c53bf60500adec0d48b6125df31bfdd5b1c7a158c0952cc5beacf4b60
Opcode Fuzzy Hash: eec614b6b14214d858ac7078202175df64e762d4b48105500f920db9a590c32d
Instruction Fuzzy Hash: BE719971140309AFD724CF68DC49F667BF5EB89304F08052DF985A72A1C772E986CB62

Function 00E04619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E046AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E046F6

Strings

GETSELECTED, xrefs: 00E04806
EXISTS, xrefs: 00E0475F
COLLAPSE, xrefs: 00E0473C
GETTOTALCOUNT, xrefs: 00E046DD
EXPAND, xrefs: 00E047A8
SELECT, xrefs: 00E048A7
GETITEMCOUNT, xrefs: 00E047D8
GETTEXT, xrefs: 00E04849
ISCHECKED, xrefs: 00E04879
UNCHECK, xrefs: 00E048D2
CHECK, xrefs: 00E04716

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 56e33f4610f8b4d6a46b42fd33a51940c239df0cffe35f245e8533df8eba3f2a
Instruction ID: d620f2065fbe01c93414686ef1409bb3e1b426358eccababb658ff781388197b
Opcode Fuzzy Hash: 56e33f4610f8b4d6a46b42fd33a51940c239df0cffe35f245e8533df8eba3f2a
Instruction Fuzzy Hash: 379180B42043019FCB14FF20C591A69BBA1EF85314F04986DF9966B7E2DB31ED46CB61

Function 00E0BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E0BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00E06D80,?), ref: 00E0BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E0BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E0BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E0BC7D
FreeLibrary.KERNEL32(?), ref: 00E0BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E0BC99
DestroyIcon.USER32(?), ref: 00E0BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E0BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E0BCD1

Part of subcall function 00DA313D: __wcsicmp_l.LIBCMT ref: 00DA31C6

Strings

.exe, xrefs: 00E0BB04
.icl, xrefs: 00E0BAE4
.dll, xrefs: 00E0BB27

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2ca6dfc36345dcf65a98e5558b0d25fa8d5660ca90262b480b11990406d3c997
Instruction ID: 84d2781c50a8ab83b719c935485432979ae0d9306cad8ae2c2b8b38179126df6
Opcode Fuzzy Hash: 2ca6dfc36345dcf65a98e5558b0d25fa8d5660ca90262b480b11990406d3c997
Instruction Fuzzy Hash: 8861CE71500219BEEB24DF65CC85FBEB7A8FB08710F10421AF915E61D0DB75AAD4DBA0

Function 00DEA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00E0FB78), ref: 00DEA0FC

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00DEA11E
__swprintf.LIBCMT ref: 00DEA177
__swprintf.LIBCMT ref: 00DEA190
_wprintf.LIBCMT ref: 00DEA246
_wprintf.LIBCMT ref: 00DEA264

Strings

^ ERROR, xrefs: 00DEA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 00DEA241
%, xrefs: 00DEA0C9
Line %d (File "%s"):, xrefs: 00DEA171, 00DEA18A
"%s" (%d) : ==> %s:, xrefs: 00DEA25F
Error: , xrefs: 00DEA20E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
API String ID: 311963372-1048875529
Opcode ID: f020a7b9da1ace08ea210042820d24e992719151cce7974ebe65d57151314d90
Instruction ID: 5663930e1d125d99ece67c3c123740669864027ac1c12e7bde7e6ca66ec2a8b7
Opcode Fuzzy Hash: f020a7b9da1ace08ea210042820d24e992719151cce7974ebe65d57151314d90
Instruction Fuzzy Hash: 48515A7290420ABACF15FBA5CD86EEEB779EF05300F240165B505720A1EB31AF59CBB1

Function 00DEA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

CharLowerBuffW.USER32(?,?), ref: 00DEA636
GetDriveTypeW.KERNEL32 ref: 00DEA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DEA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DEA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DEA730

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

Strings

set cd door , xrefs: 00DEA6D1
open, xrefs: 00DEA65D
close cd wait, xrefs: 00DEA71B
close, xrefs: 00DEA63C
type cdaudio alias cd wait, xrefs: 00DEA6AE
closed, xrefs: 00DEA64A, 00DEA653
open , xrefs: 00DEA692
wait, xrefs: 00DEA6ED

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: cc40e3a799de07fb1d3d6af3415d343c3a6d09f585b9a3a756d38e658b7e0704
Instruction ID: 0969be9d7dd6249341ef5cfa4b4966fb2988a4834dabc3a2304b813926c41ccf
Opcode Fuzzy Hash: cc40e3a799de07fb1d3d6af3415d343c3a6d09f585b9a3a756d38e658b7e0704
Instruction Fuzzy Hash: 835128711043059FC704FF25C89186AB7E8EF98718F18496DF89667261DB31EE0ACB62

Function 00DEA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DEA47A
__swprintf.LIBCMT ref: 00DEA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DEA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DEA4FE
_memset.LIBCMT ref: 00DEA51D
_wcsncpy.LIBCMT ref: 00DEA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DEA58E
CloseHandle.KERNEL32(00000000), ref: 00DEA599
RemoveDirectoryW.KERNEL32(?), ref: 00DEA5A2
CloseHandle.KERNEL32(00000000), ref: 00DEA5AC

Strings

\, xrefs: 00DEA4B2
\??\%s, xrefs: 00DEA496
:, xrefs: 00DEA4BD

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 3faaf2109099100390fa4147fa9a0fc04aa84ee51c82d2411a9ed5e73d59074c
Instruction ID: c00bd1a042b7003775780be8f0de6fc122cb75c1f7897625ae886112951c791a
Opcode Fuzzy Hash: 3faaf2109099100390fa4147fa9a0fc04aa84ee51c82d2411a9ed5e73d59074c
Instruction Fuzzy Hash: EB31BF7150024AAADB20DFA5DC48FAB37BCEF89701F1441B6F908E2060E67096948B35

Function 00DBAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 00DBAB7B
___wtomb_environ.LIBCMT ref: 00DBAB9D

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

__malloc_crt.LIBCMT ref: 00DBABC5
__malloc_crt.LIBCMT ref: 00DBABE2
_free.LIBCMT ref: 00DBAC19
__recalloc_crt.LIBCMT ref: 00DBAC52
__recalloc_crt.LIBCMT ref: 00DBAC97
_strlen.LIBCMT ref: 00DBACC3
__calloc_crt.LIBCMT ref: 00DBACCD
_strlen.LIBCMT ref: 00DBACDC
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 00DBAD0A
_free.LIBCMT ref: 00DBAD24
_free.LIBCMT ref: 00DBAD31
_free.LIBCMT ref: 00DBAD43
__invoke_watson.LIBCMT ref: 00DBAD5D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID:
API String ID: 884005220-0
Opcode ID: bc7b6f98c9470834118dbacb67800a3cde708d2fb514a4d6a7f8f46b5e353cff
Instruction ID: 6508cf42ad808c183c8b60141d9436833b180d44e0d2c186f69b49fdaf4854c2
Opcode Fuzzy Hash: bc7b6f98c9470834118dbacb67800a3cde708d2fb514a4d6a7f8f46b5e353cff
Instruction Fuzzy Hash: C061E772901205EFDB209F2DD842BAA7BA5EF12721F18411AE812AB2D1EB35D941C776

Function 00E0C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E0C4EC
GetFocus.USER32 ref: 00E0C4FC
GetDlgCtrlID.USER32(00000000), ref: 00E0C507
_memset.LIBCMT ref: 00E0C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E0C65D
GetMenuItemCount.USER32(?), ref: 00E0C67D
GetMenuItemID.USER32(?,00000000), ref: 00E0C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E0C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E0C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E0C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E0C779

Strings

0, xrefs: 00E0C62A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 122e49d349290b564fcfb83e95fe3791823332e41c173c003e9dbcf1d7cda10f
Instruction ID: 4ad8de59b14c256143969633f82a5535269d4a72fc900104f9708ad4f48362b5
Opcode Fuzzy Hash: 122e49d349290b564fcfb83e95fe3791823332e41c173c003e9dbcf1d7cda10f
Instruction Fuzzy Hash: 6681A0745083019FD720CF24D884A6BBBE8FF89718F24162EF995A3291D771D985CFA2

Function 00DD83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD8766
Part of subcall function 00DD874A: GetLastError.KERNEL32(?,00DD822A,?,?,?), ref: 00DD8770
Part of subcall function 00DD874A: GetProcessHeap.KERNEL32(00000008,?,?,00DD822A,?,?,?), ref: 00DD877F
Part of subcall function 00DD874A: HeapAlloc.KERNEL32(00000000,?,00DD822A,?,?,?), ref: 00DD8786
Part of subcall function 00DD874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD879D

Part of subcall function 00DD87E7: GetProcessHeap.KERNEL32(00000008,00DD8240,00000000,00000000,?,00DD8240,?), ref: 00DD87F3
Part of subcall function 00DD87E7: HeapAlloc.KERNEL32(00000000,?,00DD8240,?), ref: 00DD87FA
Part of subcall function 00DD87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00DD8240,?), ref: 00DD880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DD8458
_memset.LIBCMT ref: 00DD846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DD848C
GetLengthSid.ADVAPI32(?), ref: 00DD849D
GetAce.ADVAPI32(?,00000000,?), ref: 00DD84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DD84F6
GetLengthSid.ADVAPI32(?), ref: 00DD8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00DD8522
HeapAlloc.KERNEL32(00000000), ref: 00DD8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DD854A
CopySid.ADVAPI32(00000000), ref: 00DD8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DD8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DD85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DD85BC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: a3cbdeb7c9be34a50c7761288d72617a275656dcec78d0318454fdbb62d1a375
Instruction ID: 1dac9508b0439a6e1872a621742f5b030146754a217dda137a2ad8a4f897a611
Opcode Fuzzy Hash: a3cbdeb7c9be34a50c7761288d72617a275656dcec78d0318454fdbb62d1a375
Instruction Fuzzy Hash: 19615A7190020AAFDF11DFA5EC45AEEBBB9FF04310F04816AF815A7291DB31AA55DF60

Function 00DF762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DF76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00DF76AE
CreateCompatibleDC.GDI32(?), ref: 00DF76BA
SelectObject.GDI32(00000000,?), ref: 00DF76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00DF771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00DF7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00DF777B
SelectObject.GDI32(00000006,?), ref: 00DF7783
DeleteObject.GDI32(?), ref: 00DF778C
DeleteDC.GDI32(00000006), ref: 00DF7793
ReleaseDC.USER32(00000000,?), ref: 00DF779E

Strings

(, xrefs: 00DF7723

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a7a2c71be02eb2ce0c2b43c078ecfba3c19bc2d7214026f32637e101eea5a4ad
Instruction ID: aa6644ed6748f9452e3ee64aea035d15f60add14037abdabba85ed0609722b82
Opcode Fuzzy Hash: a7a2c71be02eb2ce0c2b43c078ecfba3c19bc2d7214026f32637e101eea5a4ad
Instruction Fuzzy Hash: 83515B75904209EFCB25CFA9CC85EAEBBB9EF48310F14842DFA49A7211D731A844CB60

Function 00D86BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00DA0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D86C6C,?,00008000), ref: 00DA0BB7

Part of subcall function 00D848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D848A1,?,?,00D837C0,?), ref: 00D848CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D86D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00D86E5A

Part of subcall function 00D859CD: _wcscpy.LIBCMT ref: 00D85A05

Part of subcall function 00DA387D: _iswctype.LIBCMT ref: 00DA3885

Strings

Error opening the file, xrefs: 00DBE866, 00DBE8E1
>>>AUTOIT SCRIPT<<<, xrefs: 00DBE8BF
EA06, xrefs: 00DBE87B
Unterminated string, xrefs: 00DBEC0D
Bad directive syntax error, xrefs: 00DBEBC6
AU3!, xrefs: 00D86CC1
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00DBE84A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8da97e2d62e62950b17d818acaa7f1aacf03c4c9d3465f4202ac1204e2563c0d
Instruction ID: 999d21f31171698cceceb4c8dec92c248da0856d924e08d3c3aaf04ab067cc18
Opcode Fuzzy Hash: 8da97e2d62e62950b17d818acaa7f1aacf03c4c9d3465f4202ac1204e2563c0d
Instruction Fuzzy Hash: 8D0257351083419FC724EF24C881AAFBBE5EF99354F14492DF49A972A1DB30E949CB72

Function 00D845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D845F9
GetMenuItemCount.USER32(00E46890), ref: 00DBD7CD
GetMenuItemCount.USER32(00E46890), ref: 00DBD87D
GetCursorPos.USER32(?), ref: 00DBD8C1
SetForegroundWindow.USER32(00000000), ref: 00DBD8CA
TrackPopupMenuEx.USER32(00E46890,00000000,?,00000000,00000000,00000000), ref: 00DBD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00DBD8E9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 78e37f720ef822855e260f31bcf4826a18b7a28bc64469edc9d99adc047bc05e
Instruction ID: 5ddb7eb7b150808156f9ed0a117f01fda4f7faa155726b47687977f94aed0214
Opcode Fuzzy Hash: 78e37f720ef822855e260f31bcf4826a18b7a28bc64469edc9d99adc047bc05e
Instruction Fuzzy Hash: 7D71D270600216BEEB209F55DC85FEABF6AFB05364F240216F516661E0DBB29860DBB4

Function 00DF8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DF8BEC
CoInitialize.OLE32(00000000), ref: 00DF8C19
CoUninitialize.OLE32 ref: 00DF8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00DF8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00DF8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E12C0C), ref: 00DF8E84
CoGetObject.OLE32(?,00000000,00E12C0C,?), ref: 00DF8EA7
SetErrorMode.KERNEL32(00000000), ref: 00DF8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DF8F3A
VariantClear.OLEAUT32(?), ref: 00DF8F4A

Strings

,,, xrefs: 00DF8BD6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: b81607ee5fbf6b0971abc2f0ab53058ea1dd5b6004d6e40e11e9e896656f49d3
Instruction ID: 383c82e58ba88c6ddaef30a78cbe779304285f15df76e1d0f96fd379d23ebb1f
Opcode Fuzzy Hash: b81607ee5fbf6b0971abc2f0ab53058ea1dd5b6004d6e40e11e9e896656f49d3
Instruction Fuzzy Hash: F5C13471608309AFD700EF64C88492BB7E9FF88748F04895DF6899B251DB71ED45CB62

Function 00E010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E00038,?,?), ref: 00E010BC

Strings

HKEY_CLASSES_ROOT, xrefs: 00E0114F
HKLM, xrefs: 00E0113A
HKEY_USERS, xrefs: 00E011BD
HKEY_CURRENT_CONFIG, xrefs: 00E01179
HKEY_LOCAL_MACHINE, xrefs: 00E01125
HKEY_CURRENT_USER, xrefs: 00E0119B
HKCR, xrefs: 00E01164
HKU, xrefs: 00E011CE
HKCU, xrefs: 00E011AC
HKCC, xrefs: 00E0118A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: e1563542afca8ebb8e1a2d19af0e13f5438fd05f9148b6ab4e4b00ad96028157
Instruction ID: 4682f8360302bcc30991968a4ab5c41cd614244be1b4c99637a1eca55f98f00e
Opcode Fuzzy Hash: e1563542afca8ebb8e1a2d19af0e13f5438fd05f9148b6ab4e4b00ad96028157
Instruction Fuzzy Hash: 5D417D7110124A8BCF14EF90DC95AEA3B24FF66304F105494FD926B692DB30AD5ACBB1

Function 00DE5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

Part of subcall function 00D87A84: _memmove.LIBCMT ref: 00D87B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DE55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DE55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DE55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DE560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DE561C

Strings

close PlayMe, xrefs: 00DE55E3, 00DE5610
play PlayMe wait, xrefs: 00DE5606
alias PlayMe, xrefs: 00DE55AB
play PlayMe, xrefs: 00DE5617
open , xrefs: 00DE5581
status PlayMe mode, xrefs: 00DE55CD

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 06f1f0581f1b56a362d1001c7ceb3deb8399fd1964bfba1754201f4a64772db8
Instruction ID: e62faab1f1e7e714016315752d357be23c977ad73ce35c5dfceb3456d5052f47
Opcode Fuzzy Hash: 06f1f0581f1b56a362d1001c7ceb3deb8399fd1964bfba1754201f4a64772db8
Instruction Fuzzy Hash: 3311E22056026979D720B762DC8ACFF7F7CEF91F40F480429B444A20D1DE605D45CAB1

Function 00DE48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DE490E
gethostname.WSOCK32(?,00000100), ref: 00DE4928
gethostbyname.WSOCK32(?), ref: 00DE4935
_wcscpy.LIBCMT ref: 00DE495D
_memmove.LIBCMT ref: 00DE4970
inet_ntoa.WSOCK32(?), ref: 00DE497B
_strcat.LIBCMT ref: 00DE4989
_wcscpy.LIBCMT ref: 00DE49A0
WSACleanup.WSOCK32 ref: 00DE49AE
_wcscpy.LIBCMT ref: 00DE49BC

Strings

0.0.0.0, xrefs: 00DE4957

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: ac1d2f99b3e366ad41490e7ede49c351bca749957283855b3686e1d8ea45784a
Instruction ID: 63d8039fc52d49d6c13b4cd7f071b17bcfefbaea08d868bf82c0c46e07060fa4
Opcode Fuzzy Hash: ac1d2f99b3e366ad41490e7ede49c351bca749957283855b3686e1d8ea45784a
Instruction Fuzzy Hash: 1511D531904114AFCB24FB669C4AEEB77ACDF41710F0841BAF444B6092EF719AC58A71

Function 00DE5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DE521C

Part of subcall function 00DA0719: timeGetTime.WINMM(?,75C0B400,00D90FF9), ref: 00DA071D

Sleep.KERNEL32(0000000A), ref: 00DE5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00DE526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DE528E
SetActiveWindow.USER32 ref: 00DE52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DE52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00DE52DA
Sleep.KERNEL32(000000FA), ref: 00DE52E5
IsWindow.USER32 ref: 00DE52F1
EndDialog.USER32(00000000), ref: 00DE5302

Strings

BUTTON, xrefs: 00DE5280

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5a918fcce9f21ad457d4428139c33a0b1b018412efc7a1e715b8fff83f87487a
Instruction ID: 1a3a40619075d1e9365d126aae9abda662492937d2aa6b0e139982c5de24e145
Opcode Fuzzy Hash: 5a918fcce9f21ad457d4428139c33a0b1b018412efc7a1e715b8fff83f87487a
Instruction Fuzzy Hash: 8121A474504744AFE7106F23FC88B263B6AEB4638AF041424F141A65B1CBB6AC9997F6

Function 00DED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

CoInitialize.OLE32(00000000), ref: 00DED855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DED8E8
SHGetDesktopFolder.SHELL32(?), ref: 00DED8FC
CoCreateInstance.OLE32(00E12D7C,00000000,00000001,00E3A89C,?), ref: 00DED948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DED9B7
CoTaskMemFree.OLE32(?,?), ref: 00DEDA0F
_memset.LIBCMT ref: 00DEDA4C
SHBrowseForFolderW.SHELL32(?), ref: 00DEDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DEDAAB
CoTaskMemFree.OLE32(00000000), ref: 00DEDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00DEDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00DEDAEB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: d19fce0019d52983199cc486dbaa2af95740a1248be11f8d8e4e8c7ca17fb90a
Instruction ID: 7f81d372ddc2af7d0add25c889450a619de265f88b4e3cc4d0262ac53dba70a2
Opcode Fuzzy Hash: d19fce0019d52983199cc486dbaa2af95740a1248be11f8d8e4e8c7ca17fb90a
Instruction Fuzzy Hash: 24B1F075A00109AFDB14EFA5C894DAEBBF9FF48304B148469F909EB251DB31EE45CB60

Function 00DE052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DE05A7
SetKeyboardState.USER32(?), ref: 00DE0612
GetAsyncKeyState.USER32(000000A0), ref: 00DE0632
GetKeyState.USER32(000000A0), ref: 00DE0649
GetAsyncKeyState.USER32(000000A1), ref: 00DE0678
GetKeyState.USER32(000000A1), ref: 00DE0689
GetAsyncKeyState.USER32(00000011), ref: 00DE06B5
GetKeyState.USER32(00000011), ref: 00DE06C3
GetAsyncKeyState.USER32(00000012), ref: 00DE06EC
GetKeyState.USER32(00000012), ref: 00DE06FA
GetAsyncKeyState.USER32(0000005B), ref: 00DE0723
GetKeyState.USER32(0000005B), ref: 00DE0731

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7b31f067bde0204b63bcc6a89cdbefc3c4a179d2150010e3e8ca99cde6b9bdde
Instruction ID: a15eeb4a63fc299390e598bc3e99a9cd65eb8bb6b2cce2ae86886892113c5f81
Opcode Fuzzy Hash: 7b31f067bde0204b63bcc6a89cdbefc3c4a179d2150010e3e8ca99cde6b9bdde
Instruction Fuzzy Hash: DA51B974A047C82AFB35FBA288547EABFB49F01380F4C459DD5C6561C2DAA49ACCCB71

Function 00DDC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00DDC746
GetWindowRect.USER32(00000000,?), ref: 00DDC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00DDC7B6
GetDlgItem.USER32(?,00000002), ref: 00DDC7C1
GetWindowRect.USER32(00000000,?), ref: 00DDC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00DDC827
GetDlgItem.USER32(?,000003E9), ref: 00DDC835
GetWindowRect.USER32(00000000,?), ref: 00DDC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00DDC889
GetDlgItem.USER32(?,000003EA), ref: 00DDC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DDC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00DDC8C1

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 86554bcb8ddb1b393f2cc695f0c7c162be115a855f6d669f40edc051caeb515a
Instruction ID: 0b1cce1bfd645f224d7ad13c053af46b3e801a7facb8a3f7f7e72a7c5d60f337
Opcode Fuzzy Hash: 86554bcb8ddb1b393f2cc695f0c7c162be115a855f6d669f40edc051caeb515a
Instruction Fuzzy Hash: 71515071B10205AFDB18CFA9DD89AAEBBBAFB88310F14812EF515E7290D7719D44CB50

Function 00D8201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D82036,?,00000000,?,?,?,?,00D816CB,00000000,?), ref: 00D81B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D820D3
KillTimer.USER32(-00000001,?,?,?,?,00D816CB,00000000,?,?,00D81AE2,?,?), ref: 00D8216E
DestroyAcceleratorTable.USER32(00000000), ref: 00DBBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D816CB,00000000,?,?,00D81AE2,?,?), ref: 00DBBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D816CB,00000000,?,?,00D81AE2,?,?), ref: 00DBBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D816CB,00000000,?,?,00D81AE2,?,?), ref: 00DBBF5A
DeleteObject.GDI32(00000000), ref: 00DBBF6C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5e010730121143a47157b1c8690f428fa91a11035f9ba176e2aac3c05dd65686
Instruction ID: cc3fbd478b83d1f58e38d220a0045f4499d8f8be04af616445db4312ae59e0bf
Opcode Fuzzy Hash: 5e010730121143a47157b1c8690f428fa91a11035f9ba176e2aac3c05dd65686
Instruction Fuzzy Hash: 4D61AD34100710DFDB39AF15DD48B79B7F1FF4A316F18442AE18266960C772A896DFA2

Function 00D821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00D825DB: GetWindowLongW.USER32(?,000000EB), ref: 00D825EC

GetSysColor.USER32(0000000F), ref: 00D821D3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d8953f11f188f91a7a91edbe7d53bfd0500c22545c22fed1d980db54203e7407
Instruction ID: f220ae3099ea0cce7a5f6bd5e74c428134dd8efb513659b977b9e3dec68a81f5
Opcode Fuzzy Hash: d8953f11f188f91a7a91edbe7d53bfd0500c22545c22fed1d980db54203e7407
Instruction Fuzzy Hash: 7D41B031100240EFDB256F68EC88BB93B65FB06331F584265FD669A1E2C7328C82DB75

Function 00DEAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00E0F910), ref: 00DEAB76
GetDriveTypeW.KERNEL32(00000061,00E3A620,00000061), ref: 00DEAC40
_wcscpy.LIBCMT ref: 00DEAC6A

Strings

fixed, xrefs: 00DEABBE
network, xrefs: 00DEABD4
all, xrefs: 00DEAB7C
ramdisk, xrefs: 00DEABEA
removable, xrefs: 00DEABA8
unknown, xrefs: 00DEAC01
cdrom, xrefs: 00DEAB92

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e329a4fb0782f8862769f6388da320631079715b66745359aada5017474c6792
Instruction ID: 397d264867e57eea9ce578d1782f0750e64c80ac3924ce751cd07015a1aaefb9
Opcode Fuzzy Hash: e329a4fb0782f8862769f6388da320631079715b66745359aada5017474c6792
Instruction Fuzzy Hash: DF5190351083429BC714FF19C892AAABBA5EF85304F584829F4D6572A2DB31E949CB73

Function 00E0C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

Part of subcall function 00D82344: GetCursorPos.USER32(?), ref: 00D82357
Part of subcall function 00D82344: ScreenToClient.USER32(00E467B0,?), ref: 00D82374
Part of subcall function 00D82344: GetAsyncKeyState.USER32(00000001), ref: 00D82399
Part of subcall function 00D82344: GetAsyncKeyState.USER32(00000002), ref: 00D823A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00E0C2E4
ImageList_EndDrag.COMCTL32 ref: 00E0C2EA
ReleaseCapture.USER32 ref: 00E0C2F0
SetWindowTextW.USER32(?,00000000), ref: 00E0C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E0C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00E0C48F

Strings

@GUI_DRAGFILE, xrefs: 00E0C424
@GUI_DROPID, xrefs: 00E0C3E1
pr, xrefs: 00E0C3FD
pr, xrefs: 00E0C438

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
API String ID: 1924731296-488423084
Opcode ID: fbc458314dc3a5576054c684f4ea56a523ade210bac9d10d1e20e18e5749efb9
Instruction ID: 1779e53d87cbec6738679825a57d78f6d0dfd7bda625c273b218b5ea76e6331f
Opcode Fuzzy Hash: fbc458314dc3a5576054c684f4ea56a523ade210bac9d10d1e20e18e5749efb9
Instruction Fuzzy Hash: E551BE74204304AFD714EF20DC96F6A7BE4FB89314F10462DF591AB2E1CB71A999CB62

Function 00D89997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00D899C2
__swprintf.LIBCMT ref: 00D89A0C
__i64tow.LIBCMT ref: 00DBFA0F

Strings

%.15g, xrefs: 00D89A06
False, xrefs: 00DBF9D7
0x%p, xrefs: 00DBF9F1
True, xrefs: 00DBF9D0

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 31d6958d2273a9563e82b776a031d0cb376f757851c1ee7f7f8edc668d926541
Instruction ID: 2d1cd59d7239cdf22af26bc69ac866124ea9325cae23ff72714d3f3031e69c6d
Opcode Fuzzy Hash: 31d6958d2273a9563e82b776a031d0cb376f757851c1ee7f7f8edc668d926541
Instruction Fuzzy Hash: 3941B271604205EEDF24BB38DC42E7AB7E8EF45310F28446EE58AD6291EA71D941CB31

Function 00E073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E073D9
CreateMenu.USER32 ref: 00E073F4
SetMenu.USER32(?,00000000), ref: 00E07403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E07490
IsMenu.USER32(?), ref: 00E074A6
CreatePopupMenu.USER32 ref: 00E074B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E074DD
DrawMenuBar.USER32 ref: 00E074E5

Strings

F, xrefs: 00E074D1
0, xrefs: 00E073CF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 0874d9d49637d9d37b8d819703a1655419d197a95123c838211a4183fe10f916
Instruction ID: 712cd4ac637dbb5c511b2591025c697eb6d429257f577a2bc5e35e95c3011151
Opcode Fuzzy Hash: 0874d9d49637d9d37b8d819703a1655419d197a95123c838211a4183fe10f916
Instruction Fuzzy Hash: DC415878A00205EFDB20DF65D884A9ABBB5FF49305F144029F995B73A0D731AD64CB60

Function 00E0772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E077CD
CreateCompatibleDC.GDI32(00000000), ref: 00E077D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E077E7
SelectObject.GDI32(00000000,00000000), ref: 00E077EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E077FA
DeleteDC.GDI32(00000000), ref: 00E07803
GetWindowLongW.USER32(?,000000EC), ref: 00E0780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E07821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E0782D

Strings

static, xrefs: 00E07765

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: afb4ce815edfdf4ed220ecab5176433a5d6fe0725180c01812c84ce565755ed9
Instruction ID: c99584dbaf26fd30db0697e86fb658c2aacdacf6e9509a3d54ab37e72b02f272
Opcode Fuzzy Hash: afb4ce815edfdf4ed220ecab5176433a5d6fe0725180c01812c84ce565755ed9
Instruction Fuzzy Hash: F731AA32101214AFDF229FA5DC08FDA3B69FF09365F104225FA55B20E0C732E8A5DBA0

Function 00DA7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA707B

Part of subcall function 00DA8D68: __getptd_noexit.LIBCMT ref: 00DA8D68

__gmtime64_s.LIBCMT ref: 00DA7114
__gmtime64_s.LIBCMT ref: 00DA714A
__gmtime64_s.LIBCMT ref: 00DA7167
__allrem.LIBCMT ref: 00DA71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA71D9
__allrem.LIBCMT ref: 00DA71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA720E
__allrem.LIBCMT ref: 00DA7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA7243
__invoke_watson.LIBCMT ref: 00DA72B4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 9f7f7105af4bccf5a6ba3d2a98c30e4e7e13fd0ba743983d2d51e0a861fcdd3f
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: EF71D771A04716ABD7149F79CC42BAAB3B8FF16324F14423AF915E7281E770E94087B4

Function 00DE2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE2A31
GetMenuItemInfoW.USER32(00E46890,000000FF,00000000,00000030), ref: 00DE2A92
SetMenuItemInfoW.USER32(00E46890,00000004,00000000,00000030), ref: 00DE2AC8
Sleep.KERNEL32(000001F4), ref: 00DE2ADA
GetMenuItemCount.USER32(?), ref: 00DE2B1E
GetMenuItemID.USER32(?,00000000), ref: 00DE2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00DE2B64
GetMenuItemID.USER32(?,?), ref: 00DE2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DE2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE2C24

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 30b95759bdad752ab68e938d7e336b990ee11958a9d98f06fb7093de6e3c1e7e
Instruction ID: 8346aaf50300236d2a103f24b8cf9e32ce326d7a10fee315d4152fdf9e388537
Opcode Fuzzy Hash: 30b95759bdad752ab68e938d7e336b990ee11958a9d98f06fb7093de6e3c1e7e
Instruction Fuzzy Hash: 9A61B2B0900289AFDB21EF66CC88DBE7BBCEB41304F180569E841A7251D771AD59DB31

Function 00E07192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E07214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E07217
GetWindowLongW.USER32(?,000000F0), ref: 00E0723B
_memset.LIBCMT ref: 00E0724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E0725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E072D6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 812a5384adfa09ddbe07a2a4d0921939325eb0ef9e1c4aed25b8d1d4af1ce8f4
Instruction ID: e2c8011150dbef71c28e9adb87295bc9e99ba41b63717b839042b111329375ab
Opcode Fuzzy Hash: 812a5384adfa09ddbe07a2a4d0921939325eb0ef9e1c4aed25b8d1d4af1ce8f4
Instruction Fuzzy Hash: 4E615A75A00208AFDB20DFA4CC81EEE77F8EB09714F140159FA54A72E1D774AD85DB60

Function 00DD710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DD7135
SafeArrayAllocData.OLEAUT32(?), ref: 00DD718E
VariantInit.OLEAUT32(?), ref: 00DD71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00DD71C0
VariantCopy.OLEAUT32(?,?), ref: 00DD7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00DD7227
VariantClear.OLEAUT32(?), ref: 00DD723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00DD7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DD7252
VariantClear.OLEAUT32(?), ref: 00DD7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DD726F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 81e44ea1733e314c3b528ec65ee7ec657d3cf0c2bb6dfa2df2c519648e2488de
Instruction ID: c197ca5970f5794c6e4bb7990ddd6e87ab947dd8a0595df48439bb025a223fce
Opcode Fuzzy Hash: 81e44ea1733e314c3b528ec65ee7ec657d3cf0c2bb6dfa2df2c519648e2488de
Instruction Fuzzy Hash: 26415135A04219AFCF10DF65D8849AEBBB8FF08354F00806AF955A7761DB31E949CBA0

Function 00DF5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DF5AA6
inet_addr.WSOCK32(?,?,?), ref: 00DF5AEB
gethostbyname.WSOCK32(?), ref: 00DF5AF7
IcmpCreateFile.IPHLPAPI ref: 00DF5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DF5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00DF5C00
WSACleanup.WSOCK32 ref: 00DF5C06

Strings

Ping, xrefs: 00DF5B29

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b81dfc683f02a295565b844de3effb112f693219bbc8d147011e194d32b9fd6c
Instruction ID: 93f3c6bfde6e97aff3fbe3061108e0cf4b94c6260fba4440efaf82b30c580881
Opcode Fuzzy Hash: b81dfc683f02a295565b844de3effb112f693219bbc8d147011e194d32b9fd6c
Instruction Fuzzy Hash: 9B51A3316047009FD720EF25EC49B3AB7E4EF44710F09852AF696EB2A5DB70E844CB62

Function 00DEB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DEB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DEB7B1
GetLastError.KERNEL32 ref: 00DEB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00DEB828

Strings

UNKNOWN, xrefs: 00DEB7E0
READONLY, xrefs: 00DEB7F3
NOTREADY, xrefs: 00DEB7E7
READY, xrefs: 00DEB801
INVALID, xrefs: 00DEB7FA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 448b9547659da3ae3b9e809e67b3e018dd4e6b1d8ea1f00e94beab0337d14a2b
Instruction ID: 25931bac6454b0dc1d17d2cae013fd451f8020b964a654ee88ac64fe6d032109
Opcode Fuzzy Hash: 448b9547659da3ae3b9e809e67b3e018dd4e6b1d8ea1f00e94beab0337d14a2b
Instruction Fuzzy Hash: 8E318335A00345AFDB14FF65C889ABFBBB4EF44720F18402AE541A7291DB71E946CBB1

Function 00DD9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00DDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DDB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00DD94F6
GetDlgCtrlID.USER32 ref: 00DD9501
GetParent.USER32 ref: 00DD951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DD9520
GetDlgCtrlID.USER32(?), ref: 00DD9529
GetParent.USER32(?), ref: 00DD9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DD9548

Strings

ListBox, xrefs: 00DD94B3
ComboBox, xrefs: 00DD947E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9eb1a6895a1c7492e64f8209d3f374520e1e8ceb906e965921d88af05ec1cd2a
Instruction ID: 09c279d6ebd7b0d38bd4ba91e9a08ed78246c684176308bcd5f28c0dc8c08471
Opcode Fuzzy Hash: 9eb1a6895a1c7492e64f8209d3f374520e1e8ceb906e965921d88af05ec1cd2a
Instruction Fuzzy Hash: 3621D174A00204BFCF04AF61DC95DBEBB64EF45310F100226F561A72A2DB769959DB70

Function 00DD955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00DDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DDB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00DD95DF
GetDlgCtrlID.USER32 ref: 00DD95EA
GetParent.USER32 ref: 00DD9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DD9609
GetDlgCtrlID.USER32(?), ref: 00DD9612
GetParent.USER32(?), ref: 00DD962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00DD9631

Strings

ListBox, xrefs: 00DD959E
ComboBox, xrefs: 00DD9569

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e615be4247a9efeaeaf4ec151a9d4059b82460aea532f57f0d57995fa31da3b4
Instruction ID: 17b45d9d0322bf9cb32dc0419b30609343eb93ca42cbe2f78e30c36a58ec3bbf
Opcode Fuzzy Hash: e615be4247a9efeaeaf4ec151a9d4059b82460aea532f57f0d57995fa31da3b4
Instruction Fuzzy Hash: 1B21C174A00204BFDF04AB61DC95EFEBBB8EF48300F140116F951A72A1DB769969DB30

Function 00DD9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00DD9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00DD9666
_wcscmp.LIBCMT ref: 00DD9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DD96F3

Strings

list, xrefs: 00DD96D5
largeicons, xrefs: 00DD9687
details, xrefs: 00DD96A1
SHELLDLL_DefView, xrefs: 00DD9672
smallicons, xrefs: 00DD96BB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 1f9ededd91a7befddfcdee9fae1aaf2237456ee9dd4cdaaa02562dec4474ada6
Instruction ID: 094fb8bbc0f75b1f8ab2a890809a518ff03cd0d3fbb6ffb87cd3245584fce1cc
Opcode Fuzzy Hash: 1f9ededd91a7befddfcdee9fae1aaf2237456ee9dd4cdaaa02562dec4474ada6
Instruction Fuzzy Hash: 8F112C77248307BAFA152621EC1BDA6B79CCB05360F200127F900B51D2FF93E9918B78

Function 00DE4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00DE419D
__swprintf.LIBCMT ref: 00DE41AA

Part of subcall function 00DA38D8: __woutput_l.LIBCMT ref: 00DA3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00DE41D4
LoadResource.KERNEL32(?,00000000), ref: 00DE41E0
LockResource.KERNEL32(00000000), ref: 00DE41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00DE420D
LoadResource.KERNEL32(?,00000000), ref: 00DE421F
SizeofResource.KERNEL32(?,00000000), ref: 00DE422E
LockResource.KERNEL32(?), ref: 00DE423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00DE429B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 4df75cfb58d3ce3fd353bce92d5c5962bec70ba6b599648f334aaa6fea336e86
Instruction ID: 46a3a2175715ff70299105c7c06046b70ec3a140db6eaad9985aac47402977aa
Opcode Fuzzy Hash: 4df75cfb58d3ce3fd353bce92d5c5962bec70ba6b599648f334aaa6fea336e86
Instruction Fuzzy Hash: EA31C175A0525AAFCB11AF62DC48EBF7BADEF09301F044525F901E6150D734DA61CBB4

Function 00DE16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DE1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE1714
GetWindowThreadProcessId.USER32(00000000), ref: 00DE171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DE173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00DE0778,?,00000001), ref: 00DE17CC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: eaef975328dfcc71a8bd3b7f18e4107b82265d4cf185cc1fe6f0d1776eb2811c
Instruction ID: d8798b563108239b17bc98cee1dbbecda1a89ef8aaedf50e1067009b42b10cf2
Opcode Fuzzy Hash: eaef975328dfcc71a8bd3b7f18e4107b82265d4cf185cc1fe6f0d1776eb2811c
Instruction Fuzzy Hash: EC31B179700244FFDB21FF17EC84B6937A9AB1AB51F144015F844E62A0DB719D898BA0

Function 00D8FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D8FC06
OleUninitialize.OLE32(?,00000000), ref: 00D8FCA5
UnregisterHotKey.USER32(?), ref: 00D8FDFC
DestroyWindow.USER32(?), ref: 00DC4A00
FreeLibrary.KERNEL32(?), ref: 00DC4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00DC4A92

Strings

close all, xrefs: 00D8FC01

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d41dc806add7357e069e017a429aef23fec818431a43ead1d68ed830e835eb3a
Instruction ID: acf1945902d5f453571b6e9663655bf2cd3483cf56e0e47186f119aba28e44bb
Opcode Fuzzy Hash: d41dc806add7357e069e017a429aef23fec818431a43ead1d68ed830e835eb3a
Instruction Fuzzy Hash: 64A137347022128FCB29EB54C4A5F69F7A4EF04704F1842ADE90AAB261DB30ED16CF74

Function 00DF9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF947C
VariantInit.OLEAUT32(?), ref: 00DF954D
VariantInit.OLEAUT32(?), ref: 00DF964E
VariantClear.OLEAUT32(?), ref: 00DF9658
VariantClear.OLEAUT32(?), ref: 00DF96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00DF9631
,,, xrefs: 00DF94FA
Null Object assignment in FOR..IN loop, xrefs: 00DF94DD, 00DF960B, 00DF96C3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: 4bef425661fecc3dc09693517ec3091c68d98c0b76ac830a737d05d909f83429
Instruction ID: 655801ef256b3cbb824a4ca4c5dccf06f7b0ae4c25a6604ded77cc5a8fd582dc
Opcode Fuzzy Hash: 4bef425661fecc3dc09693517ec3091c68d98c0b76ac830a737d05d909f83429
Instruction Fuzzy Hash: EC919B70E00219ABDF24DFA5C898FAEFBB8EF85710F158159F615AB280D7709945CBB0

Function 00DDA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00DDAA64), ref: 00DDA9A2

Strings

TEXT, xrefs: 00DDA8D9
NAME, xrefs: 00DDA7D4
REGEXPCLASS, xrefs: 00DDA767
INSTANCE, xrefs: 00DDA8B0
CLASSNN, xrefs: 00DDA744
CLASS, xrefs: 00DDA721

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ae293180d99e46146149ae6b4e783f5c57cb89b261a817d70849721240f17987
Instruction ID: ff0c2d40cd4999c6cb7e5943a36e279487d3d4870c1d6ab9461069f70d6c6354
Opcode Fuzzy Hash: ae293180d99e46146149ae6b4e783f5c57cb89b261a817d70849721240f17987
Instruction Fuzzy Hash: 6C91A471A00606ABDB08DF64C492BE9FB75FF04300F54C11AE89AA7641DF30AA59DBB1

Function 00D82E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D82EAE

Part of subcall function 00D81DB3: GetClientRect.USER32(?,?), ref: 00D81DDC
Part of subcall function 00D81DB3: GetWindowRect.USER32(?,?), ref: 00D81E1D
Part of subcall function 00D81DB3: ScreenToClient.USER32(?,?), ref: 00D81E45

GetDC.USER32 ref: 00DBCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00DBCF95
SelectObject.GDI32(00000000,00000000), ref: 00DBCFA3
SelectObject.GDI32(00000000,00000000), ref: 00DBCFB8
ReleaseDC.USER32(?,00000000), ref: 00DBCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00DBD04B

Strings

U, xrefs: 00DBCF20

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a03839afe7dbcac89971f201a05336e80f5788589424d024d2501eaab20b09ee
Instruction ID: 8444ace53a09e7b3a3e4417bf1c7bb3522fb819ed304e3a4dd942bc4ba48ab10
Opcode Fuzzy Hash: a03839afe7dbcac89971f201a05336e80f5788589424d024d2501eaab20b09ee
Instruction Fuzzy Hash: 3771C530500205DFCF219F64C884AFA7BB6FF49354F1842AAFD96661A5D7318C92DB71

Function 00DF8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E0F910), ref: 00DF903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E0F910), ref: 00DF9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DF91EB
SysFreeString.OLEAUT32(?), ref: 00DF9215

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: f09ded3e010b751b49e9627f3f9d5647a334d460e381f65664c2ad444850840d
Instruction ID: cc12487349e0ec8a9772369cba54d123f89e27c653757489cbe706603c13c250
Opcode Fuzzy Hash: f09ded3e010b751b49e9627f3f9d5647a334d460e381f65664c2ad444850840d
Instruction Fuzzy Hash: D2F12971A00209EFDB14DF94C898EBEB7B9FF89314F158059FA15AB250DB31AE45CB60

Function 00DFF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DFFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DFFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DFFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DFFD90
CloseHandle.KERNEL32(?), ref: 00DFFDBF
CloseHandle.KERNEL32(?), ref: 00DFFE36

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a736475cfb9a6a0ce25b3630172beadb9d9f9b23c80e6fe1c65db18337a41406
Instruction ID: 69ccd83b4326987c08606719aa228743affdcadedfe879320d867f8f00c6e014
Opcode Fuzzy Hash: a736475cfb9a6a0ce25b3630172beadb9d9f9b23c80e6fe1c65db18337a41406
Instruction Fuzzy Hash: 6BE1C2312043449FCB14EF24C891A7ABBE1EF85354F19886DF9999B2A2DB31DC45CB72

Function 00DE4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DE38D3,?), ref: 00DE48C7

Part of subcall function 00DE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DE38D3,?), ref: 00DE48E0

Part of subcall function 00DE4CD3: GetFileAttributesW.KERNEL32(?,00DE3947), ref: 00DE4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00DE4FE2
_wcscmp.LIBCMT ref: 00DE4FFC
MoveFileW.KERNEL32(?,?), ref: 00DE5017

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: af9e64051f1ed1e95673ff515a59289a2f35bf3bfcc2343e6a625d09829f0c4c
Instruction ID: 7b162af1a57195269c8918ff2102c485333061615f4acee706393a50cd493a74
Opcode Fuzzy Hash: af9e64051f1ed1e95673ff515a59289a2f35bf3bfcc2343e6a625d09829f0c4c
Instruction Fuzzy Hash: 63515EB20087859BC624EB61D8819DFB3ECEF85341F14092EF289D3152EE74E2888776

Function 00E088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E0896E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 609df7ee5102e53f77dbb722582567467127334d0aa80dceb6b085d595ee3745
Instruction ID: 36c39c3c9f90d7be7d2a9c716510e1b2af180637895084c05b653b39d9080c26
Opcode Fuzzy Hash: 609df7ee5102e53f77dbb722582567467127334d0aa80dceb6b085d595ee3745
Instruction Fuzzy Hash: 4C51A230600308BEDB349F29CE85BA93BB5FB15354F906112F594F69E1DF71A9D08BA1

Function 00D82B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00DBC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DBC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00DBC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00DBC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00DBC5C0
DestroyIcon.USER32(00000000), ref: 00DBC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00DBC5EC
DestroyIcon.USER32(?), ref: 00DBC5FB

Part of subcall function 00E0A71E: DeleteObject.GDI32(00000000), ref: 00E0A757

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 3bed7668ecc0c041dd98eeb029870aafd87c4c5010888a222bc38330a8deaa78
Instruction ID: 180c36afdcaeb23e34818808d41422ab45e756e8aac8c2572a23b0e1dd06e380
Opcode Fuzzy Hash: 3bed7668ecc0c041dd98eeb029870aafd87c4c5010888a222bc38330a8deaa78
Instruction Fuzzy Hash: 81514474A10209EFDB24EF25CC45FBA3BF5EB58320F140529F942A76A0DB71E991DB60

Function 00DD8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00DD8A84,00000B00,?,?), ref: 00DD8E0C
HeapAlloc.KERNEL32(00000000,?,00DD8A84,00000B00,?,?), ref: 00DD8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DD8A84,00000B00,?,?), ref: 00DD8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00DD8A84,00000B00,?,?), ref: 00DD8E30
DuplicateHandle.KERNEL32(00000000,?,00DD8A84,00000B00,?,?), ref: 00DD8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00DD8A84,00000B00,?,?), ref: 00DD8E43
GetCurrentProcess.KERNEL32(00DD8A84,00000000,?,00DD8A84,00000B00,?,?), ref: 00DD8E4B
DuplicateHandle.KERNEL32(00000000,?,00DD8A84,00000B00,?,?), ref: 00DD8E4E
CreateThread.KERNEL32(00000000,00000000,00DD8E74,00000000,00000000,00000000), ref: 00DD8E68

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 780a91e9c47677321067aa3876f4eb886ed7fb68c30a07b0bd489562a9f8894b
Instruction ID: 08a123ee157cc98f82663a27f71002e98f8f19633d94797da3d6e04434fa5dee
Opcode Fuzzy Hash: 780a91e9c47677321067aa3876f4eb886ed7fb68c30a07b0bd489562a9f8894b
Instruction Fuzzy Hash: 2901AC75641304FFE620AB65DC49F573B6CEB89711F004421FA05DB5A2CA71D8548A20

Function 00DF9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00DD7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?,?,00DD799D), ref: 00DD766F
Part of subcall function 00DD7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?), ref: 00DD768A
Part of subcall function 00DD7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?), ref: 00DD7698
Part of subcall function 00DD7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?), ref: 00DD76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00DF9B1B
_memset.LIBCMT ref: 00DF9B28
_memset.LIBCMT ref: 00DF9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00DF9C97
CoTaskMemFree.OLE32(?), ref: 00DF9CA2

Strings

NULL Pointer assignment, xrefs: 00DF9CF0

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 75eef9cdfdb1b89632eaed81cf2de3dc196d70a242d00b32edfa41493d386239
Instruction ID: 92d103ae54e0b168bbfe4d2f62b91dff1b3d8dfafd77003e7ca6d9a3d7e46c70
Opcode Fuzzy Hash: 75eef9cdfdb1b89632eaed81cf2de3dc196d70a242d00b32edfa41493d386239
Instruction Fuzzy Hash: BA913971D0021DABDB10DFA5DC95AEEBBB9EF08710F20815AF519A7241DB31AA44CFB0

Function 00E06FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E07093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E070A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E070C1
_wcscat.LIBCMT ref: 00E0711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E07133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E07161

Strings

SysListView32, xrefs: 00E07065

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 889cfee57d041c5fcb0a8aac8014481f79fc164c579bb6b3118e2279b994ec7d
Instruction ID: 368be026b873f9d0b51b2ae24a53f9c6a838600d4f8c128b89e5d54731a315cf
Opcode Fuzzy Hash: 889cfee57d041c5fcb0a8aac8014481f79fc164c579bb6b3118e2279b994ec7d
Instruction Fuzzy Hash: 3F41A170A04308AFEB219F64CC85BEE77A8EF08354F10152AF585B71D1D672ADC58B60

Function 00DFEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00DE3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00DE3EB6
Part of subcall function 00DE3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00DE3EC4
Part of subcall function 00DE3E91: CloseHandle.KERNEL32(00000000), ref: 00DE3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFECB8
GetLastError.KERNEL32 ref: 00DFECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DFECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DFED77
GetLastError.KERNEL32(00000000), ref: 00DFED82
CloseHandle.KERNEL32(00000000), ref: 00DFEDB7

Strings

SeDebugPrivilege, xrefs: 00DFECD6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b7272a67ab5e97b012df255904e1cb9ac7f6ea4f4ea897f7adb73a0d3f3a5014
Instruction ID: 3db4d3c48838670c32aa3eaa09c483c1fd6c80341bdec73f271558a6ef873c2a
Opcode Fuzzy Hash: b7272a67ab5e97b012df255904e1cb9ac7f6ea4f4ea897f7adb73a0d3f3a5014
Instruction Fuzzy Hash: 26419C712002049FDB24EF24CCA5F7DB7A5EF80714F088059FA869B2D2DB75A858CBB1

Function 00DE3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00DE32C5

Strings

blank, xrefs: 00DE3247
stop, xrefs: 00DE3296
question, xrefs: 00DE327E
info, xrefs: 00DE3266
warning, xrefs: 00DE32AE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3f4ca163086b4d6be725ee0d7808ff593b10c9ad3eec21fa3a359f322f573d9e
Instruction ID: cbf1e61795e5188fee510c4a257c9132d32f5f9c28cac1090fe4f883d13a27af
Opcode Fuzzy Hash: 3f4ca163086b4d6be725ee0d7808ff593b10c9ad3eec21fa3a359f322f573d9e
Instruction Fuzzy Hash: 8F11EB316087C67AD7056A56DC4AD7FB79CDF19370F14002AFA80A7181D6A59B4046B9

Function 00DE4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DE454E
LoadStringW.USER32(00000000), ref: 00DE4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DE456B
LoadStringW.USER32(00000000), ref: 00DE4572
_wprintf.LIBCMT ref: 00DE4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DE45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DE4593

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 6d5d7d0de9528f562772e6d3430a06c76b1a7e64d33e6c9da1e11cd72d76efe5
Instruction ID: 4ab8e9d9738f04d57c542cb46a655c15eead8de50afd24f8ac69136b4e5871ca
Opcode Fuzzy Hash: 6d5d7d0de9528f562772e6d3430a06c76b1a7e64d33e6c9da1e11cd72d76efe5
Instruction Fuzzy Hash: 880144F2900208BFE720E7A59D89EE7776CD708301F4005A5F745E2051EA759ED58B70

Function 00E0D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

GetSystemMetrics.USER32(0000000F), ref: 00E0D78A
GetSystemMetrics.USER32(0000000F), ref: 00E0D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E0D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E0DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E0DA24
ShowWindow.USER32(00000003,00000000), ref: 00E0DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00E0DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E0DA8B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a069a863e2717641521630a0b28451e47e872d8b4ce91e0190e459139fc2e102
Instruction ID: 42c69ffb2abfc774b0dc81a1cf47cc0088669038f7967abdb751b0d19ade5c05
Opcode Fuzzy Hash: a069a863e2717641521630a0b28451e47e872d8b4ce91e0190e459139fc2e102
Instruction Fuzzy Hash: F7B1BB31604215EFDF18CFA9C9857BE7BB1FF48714F089069EC48AB295D771A990CBA0

Function 00D82A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DBC417,00000004,00000000,00000000,00000000), ref: 00D82ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00DBC417,00000004,00000000,00000000,00000000,000000FF), ref: 00D82B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00DBC417,00000004,00000000,00000000,00000000), ref: 00DBC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00DBC417,00000004,00000000,00000000,00000000), ref: 00DBC4D6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 143759d855d9faf1c1d55dbc56b8dd87b04e8895d636113792095f619efeaa16
Instruction ID: e1141b6afedb2ed54c5938f91edc93f55e5559296a5472e2807e0976bccfe72b
Opcode Fuzzy Hash: 143759d855d9faf1c1d55dbc56b8dd87b04e8895d636113792095f619efeaa16
Instruction Fuzzy Hash: 94411934214680AEC73DAB29DC98BBB7BA2FF86310F1C841DE09756560C636F885D731

Function 00DE7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00DE737F

Part of subcall function 00DA0FF6: std::exception::exception.LIBCMT ref: 00DA102C
Part of subcall function 00DA0FF6: __CxxThrowException@8.LIBCMT ref: 00DA1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DE73B6
EnterCriticalSection.KERNEL32(?), ref: 00DE73D2
_memmove.LIBCMT ref: 00DE7420
_memmove.LIBCMT ref: 00DE743D
LeaveCriticalSection.KERNEL32(?), ref: 00DE744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DE7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE7480

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: c0e92cde550a13059eb3df78235461d39d033ff864cef81143a2c86e228a18aa
Instruction ID: bdeb3b984ede4a377b0fdb08eb85f1f81813576e5b45626c498504a98c18175c
Opcode Fuzzy Hash: c0e92cde550a13059eb3df78235461d39d033ff864cef81143a2c86e228a18aa
Instruction Fuzzy Hash: E131AD35904205EFCF10EF65DC85AAEBBB8EF45310F1440A9F904AB256DB70DA54CBB4

Function 00E06442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E0645A
GetDC.USER32(00000000), ref: 00E06462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E0646D
ReleaseDC.USER32(00000000,00000000), ref: 00E06479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E064B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E064C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E09299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E06500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E06520

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6b444e35cec5607fe4b3116aa5c7bbd414bdb6983bcd6b2b12abacdc8d7af752
Instruction ID: e41fe44e55a3c17db6902de01e48434d5c264985fa1792c2919ad3ad49c65ccf
Opcode Fuzzy Hash: 6b444e35cec5607fe4b3116aa5c7bbd414bdb6983bcd6b2b12abacdc8d7af752
Instruction Fuzzy Hash: 99319F72201210BFEF208F51DC4AFEA3FA9EF09765F044065FE08AA191C6769C91CBA0

Function 00DDC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DDC087
_memcmp.LIBCMT ref: 00DDC0A9
_memcmp.LIBCMT ref: 00DDC0C1
_memcmp.LIBCMT ref: 00DDC0D4
_memcmp.LIBCMT ref: 00DDC0EE
_memcmp.LIBCMT ref: 00DDC101
_memcmp.LIBCMT ref: 00DDC119
_memcmp.LIBCMT ref: 00DDC134

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 87a2550dee6c1b2eee0ceeb07eacd75d9d916258d73f549817813a85d5b4c067
Instruction ID: 96dfad3134e42f335a925d34e5c7d67db180ffc50b1ffd640387e9f7034151a9
Opcode Fuzzy Hash: 87a2550dee6c1b2eee0ceeb07eacd75d9d916258d73f549817813a85d5b4c067
Instruction Fuzzy Hash: F321C275660316BBD210B5209C42FBB639CEF21394F0C6026FE09E6382EB51DE21C2F5

Function 00DEED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

Part of subcall function 00D9FEC6: _wcscpy.LIBCMT ref: 00D9FEE9

_wcstok.LIBCMT ref: 00DEEEFF
_wcscpy.LIBCMT ref: 00DEEF8E
_memset.LIBCMT ref: 00DEEFC1

Strings

X, xrefs: 00DEEFFE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 34be0f80df7c01f9cf662cc1015af8c0c3aedcdfb134709897678be29bcda612
Instruction ID: 4df71f43dd5ddfafd295b406755caf6d632cde956f2b37223acebead8c846704
Opcode Fuzzy Hash: 34be0f80df7c01f9cf662cc1015af8c0c3aedcdfb134709897678be29bcda612
Instruction Fuzzy Hash: 9EC168316083409FC724FF25C881A6AB7E4EF85314F14492DF8999B2A2DB70ED45CBB2

Function 00D81424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899cc3d1ef3688647dab412e7870c43623895173000090083278a7050161cb30
Instruction ID: 4190523fea8e7bfb062242aca8c90715a41444a7d254421fc1570da48bf79fd9
Opcode Fuzzy Hash: 899cc3d1ef3688647dab412e7870c43623895173000090083278a7050161cb30
Instruction Fuzzy Hash: 28717C34900109EFCB14DF99CC49ABEBB79FF85320F148159F915AA251C730AA5ACFB4

Function 00DF6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbfb115942cd7f5dc646acbccd75be8aedc9bdb401bfbeee0728b11a209f352b
Instruction ID: 0b0fc7f2163c692b96a7b26ce060a97d91ba6b3dc8072615a45f28d6ee403d96
Opcode Fuzzy Hash: fbfb115942cd7f5dc646acbccd75be8aedc9bdb401bfbeee0728b11a209f352b
Instruction Fuzzy Hash: AE61AC72508304ABD720EB24CC91EBBB7E9EF84714F548A19F68597292DB71ED04C7B2

Function 00E0B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01887680), ref: 00E0B6A5
IsWindowEnabled.USER32(01887680), ref: 00E0B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E0B795
SendMessageW.USER32(01887680,000000B0,?,?), ref: 00E0B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00E0B809
GetWindowLongW.USER32(01887680,000000EC), ref: 00E0B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E0B843

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3fef2ae2a5d624267040d864244bfb456684012a57ba96483a19c319347ac1d5
Instruction ID: c3bafc901a0fd86396f395d59c81f13c7d7993051864a964a665b891403b41ab
Opcode Fuzzy Hash: 3fef2ae2a5d624267040d864244bfb456684012a57ba96483a19c319347ac1d5
Instruction Fuzzy Hash: A071D134600204AFDB24DF65D894FAA7BB9FF89304F08516AE945B72E1C732A8D1CB50

Function 00DFF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DFF75C
_memset.LIBCMT ref: 00DFF825
ShellExecuteExW.SHELL32(?), ref: 00DFF86A

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

Part of subcall function 00D9FEC6: _wcscpy.LIBCMT ref: 00D9FEE9

GetProcessId.KERNEL32(00000000), ref: 00DFF8E1
CloseHandle.KERNEL32(00000000), ref: 00DFF910

Strings

@, xrefs: 00DFF839

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 9672f7547f2052594e86b5d0e7d92850393b7d49418a4775d5c8593c6bc792d0
Instruction ID: 291593d424dba2c095a248f77f09cd0b54012125b6d561e2065d1dea4b58a36b
Opcode Fuzzy Hash: 9672f7547f2052594e86b5d0e7d92850393b7d49418a4775d5c8593c6bc792d0
Instruction Fuzzy Hash: A7618CB5A006199FCB14EF64C4919AEFBF5FF48310B198469E996AB351CB30AD41CFB0

Function 00DE145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DE149C
GetKeyboardState.USER32(?), ref: 00DE14B1
SetKeyboardState.USER32(?), ref: 00DE1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00DE1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00DE155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00DE15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DE15C8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c5e3d7177bd89a4a21cb8960fe3cab11c70c509a7ae18957ee803149e893b715
Instruction ID: 42b8127cafd9be7e5b00c8b2c3f8301e70bba6807e7b037d857b97d5548ae69a
Opcode Fuzzy Hash: c5e3d7177bd89a4a21cb8960fe3cab11c70c509a7ae18957ee803149e893b715
Instruction Fuzzy Hash: 4F51E2B47047D53EFB3262268C45BBABEA96B46304F0C448DE1D6558C2C2A5DCD8D770

Function 00DE1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00DE12B5
GetKeyboardState.USER32(?), ref: 00DE12CA
SetKeyboardState.USER32(?), ref: 00DE132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DE1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DE1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DE13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DE13D9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 85cf686b0c0d15bdc5a2ae6bfd3b53c536710db722780cf79c21c85b5f4c8eb7
Instruction ID: 95758ad87ed75b929a9c86b2456c837e5238ee660feecd0ccf320958f6372203
Opcode Fuzzy Hash: 85cf686b0c0d15bdc5a2ae6bfd3b53c536710db722780cf79c21c85b5f4c8eb7
Instruction Fuzzy Hash: 9651E3B47046D57DFB32A2268C45BBABFA99B06300F0C8589E1D456CC2D3A5EC98D770

Function 00DE589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00DE58AC
_wcsncpy.LIBCMT ref: 00DE58E1
_wcsncpy.LIBCMT ref: 00DE5913
_wcsncpy.LIBCMT ref: 00DE5946
_wcsncpy.LIBCMT ref: 00DE5988
_wcsncpy.LIBCMT ref: 00DE59C2
_wcsncpy.LIBCMT ref: 00DE59F1

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 019cfe7316e1eb841bb81615c404b68127d6f8cbf08a950a59dc6ecfd798347c
Instruction ID: 6d4eb07e529d481b57087476484decce4db4a651987bfbc64eca5e15cb519a67
Opcode Fuzzy Hash: 019cfe7316e1eb841bb81615c404b68127d6f8cbf08a950a59dc6ecfd798347c
Instruction Fuzzy Hash: 5141A2A5C2061876CB10FBB98C86ADFB7A8DF06310F508562F518E3122E734E754C7B9

Function 00DDDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DDDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00DDDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00DDDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00DDDB8E

Strings

,,, xrefs: 00DDDA69
DllGetClassObject, xrefs: 00DDDB01

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: 50efad1666911906a6c72a0edf37dac577136f9b0df01692763a0fcb88cefed9
Instruction ID: fa3817f51cf45917769c64ba6a6ee8747aca5fa0a2c6c1a86095e51976fd0e32
Opcode Fuzzy Hash: 50efad1666911906a6c72a0edf37dac577136f9b0df01692763a0fcb88cefed9
Instruction Fuzzy Hash: 74412DB1600208EFDF15CF55C884A9A7BBAEF48354F1681ABE9059F206D7B1D944DBB0

Function 00DE38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DE38D3,?), ref: 00DE48C7

Part of subcall function 00DE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DE38D3,?), ref: 00DE48E0

lstrcmpiW.KERNEL32(?,?), ref: 00DE38F3
_wcscmp.LIBCMT ref: 00DE390F
MoveFileW.KERNEL32(?,?), ref: 00DE3927
_wcscat.LIBCMT ref: 00DE396F
SHFileOperationW.SHELL32(?), ref: 00DE39DB

Strings

\*.*, xrefs: 00DE3969

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 70335d29325caa6a9be198d9c8ea5d8d05f02f85f6ea3c955395a724d27fa030
Instruction ID: 470a61651ea01b4f8c0dba0eeaf3111a9d0bb42e3b0e92866d777b3eb2d5ec78
Opcode Fuzzy Hash: 70335d29325caa6a9be198d9c8ea5d8d05f02f85f6ea3c955395a724d27fa030
Instruction Fuzzy Hash: 34417D714083849AC756EF66C8859EFB7E8EF89340F54082EB489C3152EB75D788CB72

Function 00E07500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E07519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E075C0
IsMenu.USER32(?), ref: 00E075D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E07620
DrawMenuBar.USER32 ref: 00E07633

Strings

0, xrefs: 00E0750D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 5c116a3b08b0396067262cd2a9830d36928bcb2c092aa78dc31e6c5b70235395
Instruction ID: 3ef62cd6600803ad47dc564f93057f9604670ad0e6c8e2a881d1ae3d8be49de3
Opcode Fuzzy Hash: 5c116a3b08b0396067262cd2a9830d36928bcb2c092aa78dc31e6c5b70235395
Instruction Fuzzy Hash: 82416C74A04608EFDB20DF54E884EDABBF8FB09314F044029ED96A7290D731AD94CFA0

Function 00E0122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E0125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E01286
FreeLibrary.KERNEL32(00000000), ref: 00E0133D

Part of subcall function 00E0122D: RegCloseKey.ADVAPI32(?), ref: 00E012A3
Part of subcall function 00E0122D: FreeLibrary.KERNEL32(?), ref: 00E012F5
Part of subcall function 00E0122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E01318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E012E0

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 3dd6735a977760b4256978b3321d9a8939231f097e509ecdc3b4b4e8170850fd
Instruction ID: 48b8a97ca4e7ae77493c78ac9d09c0447321d8c42d112f58273a189aa699dc86
Opcode Fuzzy Hash: 3dd6735a977760b4256978b3321d9a8939231f097e509ecdc3b4b4e8170850fd
Instruction Fuzzy Hash: D2312BB1901109BFEB149B91DC89AFEB7BCEF08304F0011A9E501F6591EA759E899AA0

Function 00E0653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E0655B
GetWindowLongW.USER32(01887680,000000F0), ref: 00E0658E
GetWindowLongW.USER32(01887680,000000F0), ref: 00E065C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E065F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E0661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00E06630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E0664A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 277929aef4e4f3f3496fa22ce213244eece2d6e61b3a379cccb4d0ce6e7a9bb3
Instruction ID: d2a0d2a8e34b41d81ed2d2b009ea0f243f11fa326b43576c500bd817036d87ef
Opcode Fuzzy Hash: 277929aef4e4f3f3496fa22ce213244eece2d6e61b3a379cccb4d0ce6e7a9bb3
Instruction Fuzzy Hash: 7C311334604210AFDB20CF19EC85F553BE1FB4A718F1811A8F501AB2F5CB72ACA5DB81

Function 00DF6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DF80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00DF64D9
WSAGetLastError.WSOCK32(00000000), ref: 00DF64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DF6521
connect.WSOCK32(00000000,?,00000010), ref: 00DF652A
WSAGetLastError.WSOCK32 ref: 00DF6534
closesocket.WSOCK32(00000000), ref: 00DF655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DF6576

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 054cc88b4f5276bdedf7671bb8a493bef3c9d245cdde66a6e557576da65861c6
Instruction ID: e546f2eba9ac73812995ff86d60da420ec6e28f2050dc296eb00d905f156214b
Opcode Fuzzy Hash: 054cc88b4f5276bdedf7671bb8a493bef3c9d245cdde66a6e557576da65861c6
Instruction Fuzzy Hash: B131A431600118AFDB10AF64CC85BBE77ACEB44714F058069FA45A7691DB71ED44CBB1

Function 00DDE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DDE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DDE120
SysAllocString.OLEAUT32(00000000), ref: 00DDE123
SysAllocString.OLEAUT32 ref: 00DDE144
SysFreeString.OLEAUT32 ref: 00DDE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00DDE167
SysAllocString.OLEAUT32(?), ref: 00DDE175

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8a3a206b909f02e528055d40b8c0775310f47ba4ba4cb2376fe7f019d89bee26
Instruction ID: deb2d10b12ac921159ed6311579f5c8bfd2527f2665e49dbbac85db9f321f6a8
Opcode Fuzzy Hash: 8a3a206b909f02e528055d40b8c0775310f47ba4ba4cb2376fe7f019d89bee26
Instruction Fuzzy Hash: 1021A135600218AFDB20BFA9DC88CAB77ECEB09760B048126F954DB260DA71DC85CB74

Function 00E0783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D81D73
Part of subcall function 00D81D35: GetStockObject.GDI32(00000011), ref: 00D81D87
Part of subcall function 00D81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D81D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E078A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E078AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E078B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E078C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E078D4

Strings

Msctls_Progress32, xrefs: 00E07872

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5439a03f5ec6022a6a5a21f6a731ae2c822dc91064348ee03907caeb5df0d461
Instruction ID: ea6ff57cab4bca8907914cb54b3ad3beaf9089c22b56eb94bbe3336e4a5b72e9
Opcode Fuzzy Hash: 5439a03f5ec6022a6a5a21f6a731ae2c822dc91064348ee03907caeb5df0d461
Instruction Fuzzy Hash: 20118EB2510219BFEF159E60CC85EE77F6DEF08798F019115FA44A20A0C772AC61DBB0

Function 00DA41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00DA4292,?), ref: 00DA41E3
GetProcAddress.KERNEL32(00000000), ref: 00DA41EA
EncodePointer.KERNEL32(00000000), ref: 00DA41F6
DecodePointer.KERNEL32(00000001,00DA4292,?), ref: 00DA4213

Strings

combase.dll, xrefs: 00DA41DE
RoInitialize, xrefs: 00DA41D2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: a06905fac1d1648b47a4d2854d7eac448901a67d02ae740783a6b90549d5a0b2
Instruction ID: 50cb5a168bebbf572594ac59c8decf5bfb9860cf4716334cca8d5fbc347b18e4
Opcode Fuzzy Hash: a06905fac1d1648b47a4d2854d7eac448901a67d02ae740783a6b90549d5a0b2
Instruction Fuzzy Hash: 3DE012F46913409FDB206B72EC09B443594BB56706F105424F551F55E0DBB654EA8F10

Function 00DA429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DA41B8), ref: 00DA42B8
GetProcAddress.KERNEL32(00000000), ref: 00DA42BF
EncodePointer.KERNEL32(00000000), ref: 00DA42CA
DecodePointer.KERNEL32(00DA41B8), ref: 00DA42E5

Strings

RoUninitialize, xrefs: 00DA42A7
combase.dll, xrefs: 00DA42B3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 6e1ffea3ffe12f43d3c13908496a483ed099a45b2dbf11717b082d106ab1a243
Instruction ID: f0c92a7a431c9b0a2797f7da718f0244c94769f88583fa1797303bd54d4c4c07
Opcode Fuzzy Hash: 6e1ffea3ffe12f43d3c13908496a483ed099a45b2dbf11717b082d106ab1a243
Instruction Fuzzy Hash: 09E0BFBC6423019FDB209B62FC0EB453AA4B715B46F255028F101F15E0CBB545E9CA18

Function 00DE675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DE68AD
_memmove.LIBCMT ref: 00DE67E8

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

_memmove.LIBCMT ref: 00DE685B
_memmove.LIBCMT ref: 00DE6942
_memmove.LIBCMT ref: 00DE695B
_memmove.LIBCMT ref: 00DE6977

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
Instruction ID: 98ac3e685d1be8d37dea9936f0dbbcd10ab27e1022121149a4818cc550443b85
Opcode Fuzzy Hash: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
Instruction Fuzzy Hash: 7F61893450029AABCB11FF21CC92EFE77A4EF55348F084519F8995B292DA30E941CBB0

Function 00E0046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00E010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E00038,?,?), ref: 00E010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E00548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E00588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E005AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E005D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E00617
RegCloseKey.ADVAPI32(00000000), ref: 00E00624

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: aa4908ac9254786e7c11c31cf06d26565abf089c7bfe1fb8d6e593b4842ac423
Instruction ID: 5990d0061aa56baae3cb526b3ce272f0b772e8f7b1f386d225c1ec2ca7b5afeb
Opcode Fuzzy Hash: aa4908ac9254786e7c11c31cf06d26565abf089c7bfe1fb8d6e593b4842ac423
Instruction Fuzzy Hash: A9514831208200AFCB24EB64DC85E6EBBE9FF88714F04491DF595A72A1DB31E954CB62

Function 00E05A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E05A82
GetMenuItemCount.USER32(00000000), ref: 00E05AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E05AE1
GetMenuItemID.USER32(?,?), ref: 00E05B50
GetSubMenu.USER32(?,?), ref: 00E05B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E05BAF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 4422d0cb65a85d108fcafe3c235a9794edb9f7c1bbbe82358eb337b89e72cfa2
Instruction ID: 4d755d530b504adb009945b403c5c226b18b9e434acc4bf2c4b7934fcdf4bae7
Opcode Fuzzy Hash: 4422d0cb65a85d108fcafe3c235a9794edb9f7c1bbbe82358eb337b89e72cfa2
Instruction Fuzzy Hash: D7516F36A00615EFCB15EFA5C845AAEB7B4EF48310F144459F851B7391CB71AE81CFA0

Function 00DDF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DDF3F7
VariantClear.OLEAUT32(00000013), ref: 00DDF469
VariantClear.OLEAUT32(00000000), ref: 00DDF4C4
_memmove.LIBCMT ref: 00DDF4EE
VariantClear.OLEAUT32(?), ref: 00DDF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DDF569

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: b4c44b6b7b7b49531ce2596a4a13c9f0c8da917499bee680d75182ae0da0e252
Instruction ID: 95f2d186301164891c9eda12e8586ca964384e7a7bda7defebf0b50e2df18be3
Opcode Fuzzy Hash: b4c44b6b7b7b49531ce2596a4a13c9f0c8da917499bee680d75182ae0da0e252
Instruction Fuzzy Hash: 915168B5A00209EFCB10CF58D880AAAB7F8FF4C314B15856AED59DB301D730E951CBA0

Function 00DE26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DE2792
IsMenu.USER32(00000000), ref: 00DE27B2
CreatePopupMenu.USER32 ref: 00DE27E6
GetMenuItemCount.USER32(000000FF), ref: 00DE2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DE2875

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 1211ac83dca03ce12355e726bd29117bcedac2f74f3f7ee314ccf3da32439bc5
Instruction ID: 42888cd9a1027426e97173888697266cf6c00e9b26f7814da79c9edf3de9a179
Opcode Fuzzy Hash: 1211ac83dca03ce12355e726bd29117bcedac2f74f3f7ee314ccf3da32439bc5
Instruction Fuzzy Hash: 0C518D70A00285EFDB24EF6AC888ABEBBF9EF44314F184169E455AB291D7708944CB71

Function 00D81765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00D8179A
GetWindowRect.USER32(?,?), ref: 00D817FE
ScreenToClient.USER32(?,?), ref: 00D8181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D8182C
EndPaint.USER32(?,?), ref: 00D81876

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: f94084d70a05bc9bd69afad99b8b5d460423e9a6150efd3868d0f6d4d877cb57
Instruction ID: c884b0442e04eae6479538fd35b81702cb0d4dc97189877e3161271f1cc2be5a
Opcode Fuzzy Hash: f94084d70a05bc9bd69afad99b8b5d460423e9a6150efd3868d0f6d4d877cb57
Instruction Fuzzy Hash: 6341BE74500300EFC720EF25DC85FBA7BF8EB4A724F040629F995962A1C771984ADB72

Function 00E0B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E467B0,00000000,01887680,?,?,00E467B0,?,00E0B862,?,?), ref: 00E0B9CC
EnableWindow.USER32(00000000,00000000), ref: 00E0B9F0
ShowWindow.USER32(00E467B0,00000000,01887680,?,?,00E467B0,?,00E0B862,?,?), ref: 00E0BA50
ShowWindow.USER32(00000000,00000004,?,00E0B862,?,?), ref: 00E0BA62
EnableWindow.USER32(00000000,00000001), ref: 00E0BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E0BAA9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f751277fc9f4bdb14c8c4896f01c99a36bab9ed751617fcb22eef8c0911224fa
Instruction ID: f3bff2943caba13cfc77b0d87ec50848fd5678efb57561d4e929f99609b4649d
Opcode Fuzzy Hash: f751277fc9f4bdb14c8c4896f01c99a36bab9ed751617fcb22eef8c0911224fa
Instruction Fuzzy Hash: 2C417430600241AFDB22CF15C489B957BF0FF45314F5851B9EA58AF6E2C732E895CB61

Function 00DF73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00DF5134,?,?,00000000,00000001), ref: 00DF73BF

Part of subcall function 00DF3C94: GetWindowRect.USER32(?,?), ref: 00DF3CA7

GetDesktopWindow.USER32 ref: 00DF73E9
GetWindowRect.USER32(00000000), ref: 00DF73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00DF7422

Part of subcall function 00DE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE555E

GetCursorPos.USER32(?), ref: 00DF744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DF74AC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 112202e8ade0a8faae63da286d21283949491f17c0232e77d2e00f8b8fe94414
Instruction ID: 7c3de293a738bde44ee40c5cb865ba104ae61cedb10be828959e9e0bfa5aae97
Opcode Fuzzy Hash: 112202e8ade0a8faae63da286d21283949491f17c0232e77d2e00f8b8fe94414
Instruction Fuzzy Hash: 0A31D472508309AFD720DF15DC49FABBBA9FF88354F004919F588A7191CA31E959CBA2

Function 00DD8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD8608
Part of subcall function 00DD85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD8612
Part of subcall function 00DD85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD8621
Part of subcall function 00DD85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DD8628
Part of subcall function 00DD85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD863E

GetLengthSid.ADVAPI32(?,00000000,00DD8977), ref: 00DD8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DD8DB8
HeapAlloc.KERNEL32(00000000), ref: 00DD8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00DD8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00DD8977), ref: 00DD8DEC
HeapFree.KERNEL32(00000000), ref: 00DD8DF3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 747b15823a1e51172efb0f6b396061a0d3ecda308cd586a19579a5605b5b973d
Instruction ID: 52228537cb29a61a37e0fe3b0b6a5e7c78d6c0938221d4d049787c9624ceed61
Opcode Fuzzy Hash: 747b15823a1e51172efb0f6b396061a0d3ecda308cd586a19579a5605b5b973d
Instruction Fuzzy Hash: 8C11DF31901604FFDB229FA5CC08BAE77BAEF54315F14402AE885A3291CB369958EB70

Function 00DD8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00DD8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00DD8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00DD8B40
CloseHandle.KERNEL32(00000004), ref: 00DD8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DD8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00DD8B8E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: da94db9a584b46ac160ffea5816784d7d0f2b315d492dbba87eba41fd8073e51
Instruction ID: ecda9be0917349c5cc35e85815311f127c4ad2065ccb54f7efd68d4254615d08
Opcode Fuzzy Hash: da94db9a584b46ac160ffea5816784d7d0f2b315d492dbba87eba41fd8073e51
Instruction Fuzzy Hash: 5D116DB250020DAFDF128FA5DD49FDE7BA9EF08705F094066FE04A2160C7769D64EB61

Function 00E0C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8134D
Part of subcall function 00D812F3: SelectObject.GDI32(?,00000000), ref: 00D8135C
Part of subcall function 00D812F3: BeginPath.GDI32(?), ref: 00D81373
Part of subcall function 00D812F3: SelectObject.GDI32(?,00000000), ref: 00D8139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E0C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00E0C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E0C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00E0C1F6
EndPath.GDI32(00000000), ref: 00E0C206
StrokePath.GDI32(00000000), ref: 00E0C216

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 83c45be9cc1736c65f43d2adca844e31ea3948b5f667d3f1c991807b7dc4c6ec
Instruction ID: 0aa3904f71a76561ec7252439139cf5a2cad0741b02b431859f3bb02900f67d4
Opcode Fuzzy Hash: 83c45be9cc1736c65f43d2adca844e31ea3948b5f667d3f1c991807b7dc4c6ec
Instruction Fuzzy Hash: EC111B7640010CBFDF119F91DC88FAA7FADEB09354F048021FA186A5B1C7729DA9DBA0

Function 00DA03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DA03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DA03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DA03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DA03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DA03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DA0401

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c2c64d275d58dfd6552ed10d7948c033bc586d2016e8d1022dabff39f472b79b
Instruction ID: 04b7a8951bbbd8142de8d9736043d199335094bed6074704c3ab305962b0ef8f
Opcode Fuzzy Hash: c2c64d275d58dfd6552ed10d7948c033bc586d2016e8d1022dabff39f472b79b
Instruction Fuzzy Hash: 38016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5

Function 00DE568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DE569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DE56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00DE56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DE56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DE56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DE56E0

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8a67c17b604d85c6f283822f0b607f8991e8bb7ddddb2f9af46121bcf99fe941
Instruction ID: cb6b0325cef46e3aff46aa33598ff94bb1ccd7ce0eb6474354112a0b2c77e40e
Opcode Fuzzy Hash: 8a67c17b604d85c6f283822f0b607f8991e8bb7ddddb2f9af46121bcf99fe941
Instruction Fuzzy Hash: 50F06D32241158BFE3305BA3AC0DEAF7A7CEBC6B11F000169FA00E1051DAA21A6586F5

Function 00DE74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00DE74E5
EnterCriticalSection.KERNEL32(?,?,00D91044,?,?), ref: 00DE74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00D91044,?,?), ref: 00DE7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D91044,?,?), ref: 00DE7510

Part of subcall function 00DE6ED7: CloseHandle.KERNEL32(00000000,?,00DE751D,?,00D91044,?,?), ref: 00DE6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00DE7523
LeaveCriticalSection.KERNEL32(?,?,00D91044,?,?), ref: 00DE752A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 143e16dacb27e3ca886f0827b455480908ec3b1a792221350db5fe4e71fb41da
Instruction ID: 5c44332ed4eef88bacce38eaa589d1954cda55ee171668c0603971f3bc4ea999
Opcode Fuzzy Hash: 143e16dacb27e3ca886f0827b455480908ec3b1a792221350db5fe4e71fb41da
Instruction Fuzzy Hash: 98F0543A540712EFD7222B65FC4C9DB7729EF45702B040531F102A14B5CB7658A5CB60

Function 00DD8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DD8E7F
UnloadUserProfile.USERENV(?,?), ref: 00DD8E8B
CloseHandle.KERNEL32(?), ref: 00DD8E94
CloseHandle.KERNEL32(?), ref: 00DD8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00DD8EA5
HeapFree.KERNEL32(00000000), ref: 00DD8EAC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a8dfc1f8932f4f9425a5deca0c24432d1731906f6f5a939481ca8502d6dee4f2
Instruction ID: 9621adf35bb4edb981ecfea429d954e177b2bb18cfeaa8a25d5d9f6d9fa5459d
Opcode Fuzzy Hash: a8dfc1f8932f4f9425a5deca0c24432d1731906f6f5a939481ca8502d6dee4f2
Instruction Fuzzy Hash: 97E0C236004201FFDA115FE2EC0C90ABB79FB89722B108231F219A1871CB3394B8DB90

Function 00DD7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E12C7C,?), ref: 00DD7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E12C7C,?), ref: 00DD7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00E0FB80,000000FF,?,00000000,00000800,00000000,?,00E12C7C,?), ref: 00DD7C6F
_memcmp.LIBCMT ref: 00DD7C90

Strings

,,, xrefs: 00DD7A85

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: 1321dc2fe1bac0eae6e3595edc192616451e211adccd60bed8a3cea7595fea59
Instruction ID: 1e6fa7a2e88bb2343388390d5b7ca3a24d7f1c9a7695ac8ab44f36ec85415c87
Opcode Fuzzy Hash: 1321dc2fe1bac0eae6e3595edc192616451e211adccd60bed8a3cea7595fea59
Instruction Fuzzy Hash: 7C812C75A00109EFCB04DF98C984DEEB7B9FF89315F244199F506AB250EB71AE46CB60

Function 00DF8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DF8928
CharUpperBuffW.USER32(?,?), ref: 00DF8A37
VariantClear.OLEAUT32(?), ref: 00DF8BAF

Part of subcall function 00DE7804: VariantInit.OLEAUT32(00000000), ref: 00DE7844
Part of subcall function 00DE7804: VariantCopy.OLEAUT32(00000000,?), ref: 00DE784D
Part of subcall function 00DE7804: VariantClear.OLEAUT32(00000000), ref: 00DE7859

Strings

Incorrect Parameter format, xrefs: 00DF8960, 00DF8B22
AUTOIT.ERROR, xrefs: 00DF8A3D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: cc8c4dc71f4f0939a086423ff1639ba912e5bf86a6bf7614b553b04f08033e73
Instruction ID: 051100570df4918164e876d308521ebee2bc602f86321118ba51ee7f3a56da0b
Opcode Fuzzy Hash: cc8c4dc71f4f0939a086423ff1639ba912e5bf86a6bf7614b553b04f08033e73
Instruction Fuzzy Hash: 729191716043059FC710EF24C48596BBBE4EF89704F08896EF99A8B361DB31E945CB72

Function 00DE2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9FEC6: _wcscpy.LIBCMT ref: 00D9FEE9

_memset.LIBCMT ref: 00DE3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DE30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DE3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DE3187

Strings

0, xrefs: 00DE3063

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e9ad0b781c46586476456546dd9ae318a43131f13d2b72c1332f10f0a917dcb0
Instruction ID: 4aa2c09c1b7df9f27a816d27df83f8b031d5cd7a4317b3165646371f84edecfa
Opcode Fuzzy Hash: e9ad0b781c46586476456546dd9ae318a43131f13d2b72c1332f10f0a917dcb0
Instruction Fuzzy Hash: 5851A2716083809ED725BF2AD849A7BB7E8EF95364F08092DF895D3191DB70CE448772

Function 00DE2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DE2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00DE2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E46890,00000000), ref: 00DE2D5A

Strings

0, xrefs: 00DE2CA4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5ab8d309c40eb0450de019d6abc8e0ba4e3d9dd761f834af20b6b02d82a0e3a4
Instruction ID: 584edb3aeaafc6bc3cd1c5e4b9e86241e4ea83c5ffcb9b94630071999f2de262
Opcode Fuzzy Hash: 5ab8d309c40eb0450de019d6abc8e0ba4e3d9dd761f834af20b6b02d82a0e3a4
Instruction Fuzzy Hash: 884181701043819FD724EF26DC44B6AB7E9EF85320F18461DFAA597291D770E904CBB2

Function 00DFDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DFDAD9

Part of subcall function 00D879AB: _memmove.LIBCMT ref: 00D879F9

Strings

cdecl, xrefs: 00DFDB30
stdcall, xrefs: 00DFDB5B
winapi, xrefs: 00DFDB4A
none, xrefs: 00DFDBB4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 4d6edbb4eec7c9c56498fc4e7d95cdcab0d41e48585fe55c9486ed3c9dcb79b5
Instruction ID: 58ca15415ab6ecae12d106cea6073fb64c212d265102c163f82733ee8046c195
Opcode Fuzzy Hash: 4d6edbb4eec7c9c56498fc4e7d95cdcab0d41e48585fe55c9486ed3c9dcb79b5
Instruction Fuzzy Hash: 0031CF7150021AAFCF00EF54CC818BEB7B6FF45310B15862AE966A7691CB31E906CBB0

Function 00DD9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00DDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DDB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DD93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DD9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00DD9439

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

Strings

ListBox, xrefs: 00DD93B5
ComboBox, xrefs: 00DD9380

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b046db8eb28789a4956bfef298e123497bd6970ad5f711a32befd6df197f7e11
Instruction ID: ac157f7e9ff210c31df5f550a5405fcf6eabc8f23d75b7cd2daaabeccb015917
Opcode Fuzzy Hash: b046db8eb28789a4956bfef298e123497bd6970ad5f711a32befd6df197f7e11
Instruction Fuzzy Hash: 5F21E471900104BEDB14ABB0DC95CFFB768DF05760B14421AF925A72E1DB36594A9730

Function 00E06656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D81D73
Part of subcall function 00D81D35: GetStockObject.GDI32(00000011), ref: 00D81D87
Part of subcall function 00D81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D81D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E066D0
LoadLibraryW.KERNEL32(?), ref: 00E066D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E066EC
DestroyWindow.USER32(?), ref: 00E066F4

Strings

SysAnimate32, xrefs: 00E066AB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 270a16d23c5ebc501e7b70db47412ad3398288291355df07e6aeed1245fb89ce
Instruction ID: f8cb93c94370a3819a162dc77062c2fe0ca6816b6ca017e65329c6adea0382b9
Opcode Fuzzy Hash: 270a16d23c5ebc501e7b70db47412ad3398288291355df07e6aeed1245fb89ce
Instruction Fuzzy Hash: 57218B71200206AFEF104FA4EC80FAB37ADEB59768F106629F911B61E0D7728CA19760

Function 00DE703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00DE705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE7091
GetStdHandle.KERNEL32(0000000C), ref: 00DE70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00DE70DD

Strings

nul, xrefs: 00DE70D8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4e62981e0d482ea1fbe6b510e32a1ea0a848188606cd43ab3dc4336a89446b77
Instruction ID: e1bdf6df708471fe84072c38ac65d3013b0408e3ca71ded16d0e9a7d1ea5dbd6
Opcode Fuzzy Hash: 4e62981e0d482ea1fbe6b510e32a1ea0a848188606cd43ab3dc4336a89446b77
Instruction Fuzzy Hash: 7221817450434AABDB20AF3ADC05A9A77B8BF54720F244619FCA0D72D0D7B1D950CB70

Function 00DE710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DE712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DE715D
GetStdHandle.KERNEL32(000000F6), ref: 00DE716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00DE71A8

Strings

nul, xrefs: 00DE71A3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f9cb8475f241382c16d5aadddd0700f9675639272c444332fa9ef89afcc8a289
Instruction ID: 3b01c1f70c13c498d8eeb72b27822cb02494a3153e71f62e99fe250ef6acbe00
Opcode Fuzzy Hash: f9cb8475f241382c16d5aadddd0700f9675639272c444332fa9ef89afcc8a289
Instruction Fuzzy Hash: 1821A175604386ABDB20AF6A9C04AAAB7A8AF55730F240619FCF0E32D0D771D851CB70

Function 00DEAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DEAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DEAF13
__swprintf.LIBCMT ref: 00DEAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E0F910), ref: 00DEAF6A

Strings

%lu, xrefs: 00DEAF26

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 9a2afc31f5c96bfb47c492bb9d5b7639bf0d8d5d25e15ac4859e14ca2a16906f
Instruction ID: 5a4b9c7ffa8aab272455f0bf468eec249b45c01823311167cfbc82b8480d8256
Opcode Fuzzy Hash: 9a2afc31f5c96bfb47c492bb9d5b7639bf0d8d5d25e15ac4859e14ca2a16906f
Instruction Fuzzy Hash: C7218334A00209AFCB10EF65CC85DAEBBB8EF89704B044069F909EB251DB71EA45CB71

Function 00DDA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

Part of subcall function 00DDA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DDA399
Part of subcall function 00DDA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DDA3AC
Part of subcall function 00DDA37C: GetCurrentThreadId.KERNEL32 ref: 00DDA3B3
Part of subcall function 00DDA37C: AttachThreadInput.USER32(00000000), ref: 00DDA3BA

GetFocus.USER32 ref: 00DDA554

Part of subcall function 00DDA3C5: GetParent.USER32(?), ref: 00DDA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00DDA59D
EnumChildWindows.USER32(?,00DDA615), ref: 00DDA5C5
__swprintf.LIBCMT ref: 00DDA5DF

Strings

%s%d, xrefs: 00DDA5D9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 5ce363e6f3e8e7fca61ade7506410d0731819b6b55860670bf809f2489968d2e
Instruction ID: ffaa65532d6d9052195ba99e98d4bc5e63100c20e615e0a18af95869c08fa54f
Opcode Fuzzy Hash: 5ce363e6f3e8e7fca61ade7506410d0731819b6b55860670bf809f2489968d2e
Instruction Fuzzy Hash: 2711D271200208BBCF207FA8DC85FEA377DEF49700F048076F908AA252CA7599858B75

Function 00DE2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DE2048

Strings

REMOVE, xrefs: 00DE204E
KEYS, xrefs: 00DE205F
EXISTS, xrefs: 00DE2070
APPEND, xrefs: 00DE2081

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: ff38ea6993a25946a0094db12bf4ac76cf4d0f732ab372d288eda39972623dcf
Instruction ID: 45097c43a0ddf7d21efd3098c4ca1301aba378c4504cc168089164e7559f11e9
Opcode Fuzzy Hash: ff38ea6993a25946a0094db12bf4ac76cf4d0f732ab372d288eda39972623dcf
Instruction Fuzzy Hash: 3E116D71900119CFCF00EFA5D8814FEBBB4FF5A304F148468D895A7292EB32A90ACB71

Function 00DFEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DFEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DFEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DFF07E
CloseHandle.KERNEL32(?), ref: 00DFF0FF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9b6fc16eea586fcd5d11d5e87dbc758450cc0fc16e4a266d36e9c94b989e99a4
Instruction ID: 1a8e29716744bbbcd12bbf9c4d82e11844a346ad13e25001aab33b4cd9567151
Opcode Fuzzy Hash: 9b6fc16eea586fcd5d11d5e87dbc758450cc0fc16e4a266d36e9c94b989e99a4
Instruction Fuzzy Hash: 998154716043019FD724EF24C896F3AB7E5EF48710F19881DF696DB292DB71AC418B61

Function 00E002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00E010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E00038,?,?), ref: 00E010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E00388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E003C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E0040E
RegCloseKey.ADVAPI32(?,?), ref: 00E0043A
RegCloseKey.ADVAPI32(00000000), ref: 00E00447

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 22f2ec1cfe0c80d41e87a9b2d7a8fe7bcff5aa960d5b78672eeccd0b3cfd5ffc
Instruction ID: a86d3aaacef78ec41b6298734c2998277cc48e8b4120d53e4cafda995fb0268e
Opcode Fuzzy Hash: 22f2ec1cfe0c80d41e87a9b2d7a8fe7bcff5aa960d5b78672eeccd0b3cfd5ffc
Instruction Fuzzy Hash: BC514731208204AFD714EB64DC81F6EB7E8FF88704F44992EF595A72A1DB35E944CB62

Function 00DFDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DFDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00DFDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00DFDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00DFDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DFDD35

Part of subcall function 00D85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DE7B20,?,?,00000000), ref: 00D85B8C
Part of subcall function 00D85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DE7B20,?,?,00000000,?,?), ref: 00D85BB0

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7cd9ba2070e8fdc20009e37ba14780ac7370669eab3da9b258a0621f015d4797
Instruction ID: 5a9663e9101b48f4a1dbe18abfb02c94872bb728841071054b2f8a07e165aa7c
Opcode Fuzzy Hash: 7cd9ba2070e8fdc20009e37ba14780ac7370669eab3da9b258a0621f015d4797
Instruction Fuzzy Hash: 73511675A002099FCB00EF68C8949ADB7F6EF59310B19C069E959AB312DB31ED45CFA1

Function 00DEE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DEE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00DEE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DEE8F2

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DEE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DEE91F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 5e5ecdc795a909ea18a7aa67220faa8c80e277cb5deb0419e148cfe6546a13da
Instruction ID: 0d5b4bed1d456f01b9ee0f712b0a91a9fead0cb9e896470688dd066b76929213
Opcode Fuzzy Hash: 5e5ecdc795a909ea18a7aa67220faa8c80e277cb5deb0419e148cfe6546a13da
Instruction Fuzzy Hash: 4F510A35A00205DFCB15EF65C9919AEBBF5EF49310B188099E849AB362CB31ED51DF70

Function 00E0A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694f792dfd93ba7c2d577069cfc074d9c2a2271b5905fe1c3bcff4816d620467
Instruction ID: 1c7af86a85a200a7d4656c774775f280f96667f86da28783a70896d91d1329fc
Opcode Fuzzy Hash: 694f792dfd93ba7c2d577069cfc074d9c2a2271b5905fe1c3bcff4816d620467
Instruction Fuzzy Hash: A441EF39900308AFC720DB28CC48FEDBBA5EB09314F185275E865B72E0C774ADD18A52

Function 00D82344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D82357
ScreenToClient.USER32(00E467B0,?), ref: 00D82374
GetAsyncKeyState.USER32(00000001), ref: 00D82399
GetAsyncKeyState.USER32(00000002), ref: 00D823A7

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c5cbeb5ffc0e0f05504583d2dfba56dd41a12313b3a4ec8b1a855607afa161cb
Instruction ID: fa171dd6a8fd8e838c4ede6ca397a0547fedb8aad010489666f08fecb549138a
Opcode Fuzzy Hash: c5cbeb5ffc0e0f05504583d2dfba56dd41a12313b3a4ec8b1a855607afa161cb
Instruction Fuzzy Hash: 2C41AF35904119FFDF199F68CC44AFDBBB4FB05320F20431AF869A2290C7359994DBA1

Function 00DD6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00DD69A9
TranslateMessage.USER32(?), ref: 00DD69D2
DispatchMessageW.USER32(?), ref: 00DD69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DD69EB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 17c674f34f55878f3c104c94838c490e6d867eee711184b0b697581c954f800d
Instruction ID: 6be08176ab103dee63b12117341f9c71d4387b7cf3ae1521cc1b38ee7aac72f5
Opcode Fuzzy Hash: 17c674f34f55878f3c104c94838c490e6d867eee711184b0b697581c954f800d
Instruction Fuzzy Hash: 4231D671900246AFDB20CFB59C44BB67BACAB12304F144167E451E2261D775E88ADBF1

Function 00DD8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DD8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00DD8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00DD8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00DD8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00DD8FDA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cf2f43119473df939715e86237c4be1d2f7f2e0ad73e98bb18555c484886bd8d
Instruction ID: d26d2da57c03b910686a162b74bf56280b8e13a4e0712194776f9e27645bf8e9
Opcode Fuzzy Hash: cf2f43119473df939715e86237c4be1d2f7f2e0ad73e98bb18555c484886bd8d
Instruction Fuzzy Hash: D331DF71900219EFDB10CF78D948A9E7BB6EF04315F10422AF924E72D0C7B09964EBA1

Function 00DDB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DDB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DDB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DDB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DDB742
_wcsstr.LIBCMT ref: 00DDB74C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 00d85c159fd85ece5fdfeab98d1dc2f3b88e33e76fb2b9497dfbfa472046e6d2
Instruction ID: de8bf535bf5c3c6fa31dafb00f62f1f20dccfd71f7e3d97c5e26071ed66cb3d7
Opcode Fuzzy Hash: 00d85c159fd85ece5fdfeab98d1dc2f3b88e33e76fb2b9497dfbfa472046e6d2
Instruction Fuzzy Hash: ED21D731604204FFEB255B39AC49E7B7B98DF4A760F15402BF805DA2A1EB62DC4196B0

Function 00E0B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

GetWindowLongW.USER32(?,000000F0), ref: 00E0B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E0B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E0B489
GetSystemMetrics.USER32(00000004), ref: 00E0B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00DF1184,00000000), ref: 00E0B4D0

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: cbf92e40bf21d2873299bdfd35252e6dd040c551269b32bbcf3e04ec63e9e48b
Instruction ID: d71c3e2f04ba85f7f1ea66c4f46f93d73aedaa0f540cfd8c368fc1ad0d6349bf
Opcode Fuzzy Hash: cbf92e40bf21d2873299bdfd35252e6dd040c551269b32bbcf3e04ec63e9e48b
Instruction Fuzzy Hash: 8121B171510251AFCB208F39CC04A6A37A4FB05724F115738F836E21E1F7309EA0DB90

Function 00DD97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DD9802

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DD9834
__itow.LIBCMT ref: 00DD984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DD9874
__itow.LIBCMT ref: 00DD9885

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: c49ba27b2b3fde5326a5535a171c5f98f5995ecbaf82b7bcaa05bf7269654039
Instruction ID: 20a23b1f54efb84954fc345437da806fefbdc68b1a8d0f9ab6650646b760fb93
Opcode Fuzzy Hash: c49ba27b2b3fde5326a5535a171c5f98f5995ecbaf82b7bcaa05bf7269654039
Instruction Fuzzy Hash: 4521FB71B00204ABDB20AA619C86EAEBBADEF4AB14F080025F905E7341D672DD4597F1

Function 00D812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8134D
SelectObject.GDI32(?,00000000), ref: 00D8135C
BeginPath.GDI32(?), ref: 00D81373
SelectObject.GDI32(?,00000000), ref: 00D8139C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b753b9b2e807961d544de95d676d1e9d9d07b63f39ca577bcb9232d2b6affcd8
Instruction ID: 34e9a6ed2fabeade6ecd04f44adc7bab029f311c8db219c41f4a2733b2c7430b
Opcode Fuzzy Hash: b753b9b2e807961d544de95d676d1e9d9d07b63f39ca577bcb9232d2b6affcd8
Instruction Fuzzy Hash: 8A217478800308DFDB15AF66EC057697BBCFB16322F144226F414B65A0D371989FDBA1

Function 00DDC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00DDC176
_memcmp.LIBCMT ref: 00DDC194
_memcmp.LIBCMT ref: 00DDC1A7
_memcmp.LIBCMT ref: 00DDC1BF
_memcmp.LIBCMT ref: 00DDC1D7

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 159ecc114cba4e156f57b1cfdee026de4c556fd769a3114f84715ab247eada7e
Instruction ID: 323efb6c8f3d220aac539e8d622800d6375c477952130b6c6779044b9ccf9d9f
Opcode Fuzzy Hash: 159ecc114cba4e156f57b1cfdee026de4c556fd769a3114f84715ab247eada7e
Instruction Fuzzy Hash: 0D0192B16143277BE214B6209C42EAB635CDF22394F085126FE04E6383E661EE61C2F0

Function 00DE4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DE4D5C
__beginthreadex.LIBCMT ref: 00DE4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00DE4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DE4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DE4DAC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: dec6112eb43bff5ffade82c9dc20ee4d95b3d11eb28267ebf1a1e7c44837be6f
Instruction ID: 9fa625455ff03b182124c481cb7812b9adbfa111e4482e27f5e31dc06e30ac02
Opcode Fuzzy Hash: dec6112eb43bff5ffade82c9dc20ee4d95b3d11eb28267ebf1a1e7c44837be6f
Instruction Fuzzy Hash: 9D112B76904248BFC7119FAADC04ADB7FACEB46320F144365F914E3261D6B5CD4887B1

Function 00DD874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DD8766
GetLastError.KERNEL32(?,00DD822A,?,?,?), ref: 00DD8770
GetProcessHeap.KERNEL32(00000008,?,?,00DD822A,?,?,?), ref: 00DD877F
HeapAlloc.KERNEL32(00000000,?,00DD822A,?,?,?), ref: 00DD8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DD879D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 836317e45a1cb3801b46f56071202f0cf531b932e391070a3595ac130acbcfa8
Instruction ID: b65001e961d112404eef69a4655a8132aa5d811ff1cf56e4086a1c85fc6b513e
Opcode Fuzzy Hash: 836317e45a1cb3801b46f56071202f0cf531b932e391070a3595ac130acbcfa8
Instruction Fuzzy Hash: D3016D71601204FFDB314FA6EC88D6B7BACFF89355720043AF849D2260DA329C54DA70

Function 00DE54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DE5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DE5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE555E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6492f9e421fd1142a40523d0f2b448c7f219759a07b9e471e1588107c716346d
Instruction ID: 91bfeee38e64a5882e309b636d6971d98653bd397a5a2ef975aa8c4790641bd6
Opcode Fuzzy Hash: 6492f9e421fd1142a40523d0f2b448c7f219759a07b9e471e1588107c716346d
Instruction Fuzzy Hash: FE01AD31C01A19DBCF10EFEAE8885EDBB78FB09305F400056E802B2144CB3185A4C7B1

Function 00DD7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?,?,00DD799D), ref: 00DD766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?), ref: 00DD768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?), ref: 00DD7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?), ref: 00DD76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00DD758C,80070057,?,?), ref: 00DD76B4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 672df2f1ca05adc268e22cf238caba53adbffdade9e44f5ec16cf9d60802db44
Instruction ID: d564b4811b931a83bb6e4e9e6da791881b1b3a0605a69cfe65cd45576b8caca5
Opcode Fuzzy Hash: 672df2f1ca05adc268e22cf238caba53adbffdade9e44f5ec16cf9d60802db44
Instruction Fuzzy Hash: 11017172601604AFDB209F59DC44AAA7BADEB44751F14406AFD04E2211FB32DD5497B0

Function 00DD85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DD8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DD8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DD8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DD8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DD863E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 10528feaa37a024a8c858610dcf69195f94ef77f387f463fd4d0e4207835203b
Instruction ID: d50ea20eef25d1f8ff2f8a8f11d8f2b2cf98f7ce25f534d84f60b4bbff87e2e8
Opcode Fuzzy Hash: 10528feaa37a024a8c858610dcf69195f94ef77f387f463fd4d0e4207835203b
Instruction Fuzzy Hash: 87F06231205305AFEB210FAADC8DF6B3BACEF89764B044426F945D6250CB72DC95EA70

Function 00DD8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD869F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 59ac022b291e54198a6d576f9bff4b4178fe3dab5dda9ad2c7e101607a4eef51
Instruction ID: a4a3f71f97b1b5f86469d49a6a86e0239424b8ac866a797131ef5a5163c4edd4
Opcode Fuzzy Hash: 59ac022b291e54198a6d576f9bff4b4178fe3dab5dda9ad2c7e101607a4eef51
Instruction Fuzzy Hash: D0F04F71201305BFEB321FA6EC88E673BACEF89764B140026F945D7250CA62D995EA70

Function 00DDC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00DDC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DDC6D1
MessageBeep.USER32(00000000), ref: 00DDC6E9
KillTimer.USER32(?,0000040A), ref: 00DDC705
EndDialog.USER32(?,00000001), ref: 00DDC71F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5188f1cc19d27efdc0b4bfcf0c80136ccd7d18dca2f56ba9df8d3378e6f37110
Instruction ID: 915f4142e9c3e5305bc553b571306fce2418c71bd228919c36342ddc7075881f
Opcode Fuzzy Hash: 5188f1cc19d27efdc0b4bfcf0c80136ccd7d18dca2f56ba9df8d3378e6f37110
Instruction Fuzzy Hash: 95016230510705ABEB315B61ED4EF9677B8FF00705F04166AF582B15E1DBE2A9A8CFA0

Function 00D813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D813BF
StrokeAndFillPath.GDI32(?,?,00DBBAD8,00000000,?), ref: 00D813DB
SelectObject.GDI32(?,00000000), ref: 00D813EE
DeleteObject.GDI32 ref: 00D81401
StrokePath.GDI32(?), ref: 00D8141C

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 35d06045ef61299cd24e3f2b7612f67c1889a1448d5d9951a3dd0e90ec985f1e
Instruction ID: d49d92a85002de50081387566306b29e40c976a0d2b8a01baf998e2522b1a6ad
Opcode Fuzzy Hash: 35d06045ef61299cd24e3f2b7612f67c1889a1448d5d9951a3dd0e90ec985f1e
Instruction Fuzzy Hash: F4F0CD78004308DFDB255F1BEC0C7543BA8A746326F08C224E469654F1C73245AEDF61

Function 00DEC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DEC69D
CoCreateInstance.OLE32(00E12D6C,00000000,00000001,00E12BDC,?), ref: 00DEC6B5

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

CoUninitialize.OLE32 ref: 00DEC922

Strings

.lnk, xrefs: 00DEC631, 00DEC659, 00DEC663

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 66a85bcc019286580991645ac8736dd13c25781cdb324b3c28051111f7668afa
Instruction ID: cb0d14f6658621651d00d4c36debc4ec66db49a0b7ee962a43d33e474aa17837
Opcode Fuzzy Hash: 66a85bcc019286580991645ac8736dd13c25781cdb324b3c28051111f7668afa
Instruction Fuzzy Hash: 8DA11871108205AFD304FF64C891EABB7E8EF84704F04491CF196971A2EB71EA49CBB2

Function 00D92E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00DA0FF6: std::exception::exception.LIBCMT ref: 00DA102C
Part of subcall function 00DA0FF6: __CxxThrowException@8.LIBCMT ref: 00DA1041

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00D87BB1: _memmove.LIBCMT ref: 00D87C0B

__swprintf.LIBCMT ref: 00D9302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D92EC6

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: afbffeabd09eb7ffaf750bfe354c4b26678aff28a48b04bf8dd9f5ab53c1b287
Instruction ID: b707254700deb4a18af9c2dfb24c6d4cf751dcada9afc966d2eeb78b4b99e724
Opcode Fuzzy Hash: afbffeabd09eb7ffaf750bfe354c4b26678aff28a48b04bf8dd9f5ab53c1b287
Instruction Fuzzy Hash: 67916A71108302AFCB28FF24D895D6EB7A8EF85740F14491DF4969B2A1DB60EE44CB72

Function 00DDB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00DDB981

Strings

%, xrefs: 00DDBA24
Container, xrefs: 00DDB8FE
AutoIt3GUI, xrefs: 00DDB8F9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: 59e48b380a97112a2f493db28bac7f0faa6385c31b87c690a21ad64bdbc98bf2
Instruction ID: b3ec2155f055f4a71d2816005a4a7b0418b74379bc1d92ff39b55eea14e18b6b
Opcode Fuzzy Hash: 59e48b380a97112a2f493db28bac7f0faa6385c31b87c690a21ad64bdbc98bf2
Instruction Fuzzy Hash: DC914B70600201DFDB24CF68C885A6ABBE8FF49714F15856EE946DB791DBB0E840CB60

Function 00DA524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00DA52DD

Part of subcall function 00DB0340: __87except.LIBCMT ref: 00DB037B

Strings

pow, xrefs: 00DA52B5, 00DA52D2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 009d80c60f9d8a0c96f095857ac9011840ff7017fbb13ebaa6e8aa69994c246d
Instruction ID: 1487250bfba2c0abd3acd71ae440238d8a7f669ea135359249ae90ca34c82c2b
Opcode Fuzzy Hash: 009d80c60f9d8a0c96f095857ac9011840ff7017fbb13ebaa6e8aa69994c246d
Instruction Fuzzy Hash: 80516A31A09601CACB117B15E9413EF6FD4DB42750F288968E4D7412EDEF74CCD89AB6

Function 00DA023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00DA0280
+, xrefs: 00DA0277

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 6e94591e01c380d200a28ad8419f87fa038cacfc383c16256ca5f5dc48dd41e7
Instruction ID: 88d25810fcbdd2e8b8e41de5e8d816eb4c529ffa621c4aaa04167583d8a59c5e
Opcode Fuzzy Hash: 6e94591e01c380d200a28ad8419f87fa038cacfc383c16256ca5f5dc48dd41e7
Instruction Fuzzy Hash: 03513275504246CFDF259F28E4886FA7BA6EF1A310F184056E8919B3A4D734DC46CB71

Function 00D962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D963A8
_memmove.LIBCMT ref: 00D96446
_memset.LIBCMT ref: 00D9646A

Strings

ERCP, xrefs: 00D96313

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: d3bd467d98a019dcc6a5df753ba85cc544f7f8c5c5a8718d21e99679bb3b5113
Instruction ID: 3bf1e6807c6ec24c19456d33935f533b5fc3adf374974020f199a3bd5d3bcfbe
Opcode Fuzzy Hash: d3bd467d98a019dcc6a5df753ba85cc544f7f8c5c5a8718d21e99679bb3b5113
Instruction Fuzzy Hash: 6951D271904709DFDB24CFA5C8857AABBF4EF44710F24856EEA8ADB240E771D684CB60

Function 00E07BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E0F910,00000000,?,?,?,?), ref: 00E07C4E
GetWindowLongW.USER32 ref: 00E07C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E07C7B

Strings

SysTreeView32, xrefs: 00E07C20

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 0575d5a7da9835b99b44c5c0af7feacc9190c6be24802db401ef58393cc904b2
Instruction ID: d37a1fb05603bf9f019ba0bc65dbe2bc5b2a32ad179b9dc72170e1a68599af11
Opcode Fuzzy Hash: 0575d5a7da9835b99b44c5c0af7feacc9190c6be24802db401ef58393cc904b2
Instruction Fuzzy Hash: A831B231604205AFDB219F34DC45BEA77A9EB49328F245725F8B5B21E0D731EC919B60

Function 00E07648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E076D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E076E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E07708

Strings

SysMonthCal32, xrefs: 00E0769B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3d02ee1bd60e376ba47301f31d29155ab9182dd7b9868ed162e2a2b2a9892a20
Instruction ID: 2a298697967d968336795adbc9d53df223c6c213f3bd70c26b2522abc9a083dd
Opcode Fuzzy Hash: 3d02ee1bd60e376ba47301f31d29155ab9182dd7b9868ed162e2a2b2a9892a20
Instruction Fuzzy Hash: 1321B132500218ABDF11CE54DC46FEA3B69EB48758F111214FE557B1D0DAB2B8958BA0

Function 00E06F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E06FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E06FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E06FDF

Strings

Listbox, xrefs: 00E06F77

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 06409fb51fce42369f08c8273f65c31a39c8a03667d46b2d5948055230832d51
Instruction ID: f169a2d689c62ec1ee818f0b3cacbaa9b24ac2f21c3d9de4fe6642259a200e76
Opcode Fuzzy Hash: 06409fb51fce42369f08c8273f65c31a39c8a03667d46b2d5948055230832d51
Instruction Fuzzy Hash: 6921C532710119BFDF118F54DC85FAB37AAEF89754F019124F904A71D0C6719CA2C7A0

Function 00E0797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E079E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E079F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E07A03

Strings

msctls_trackbar32, xrefs: 00E079B8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e9c17b2c012350d98718a43c5ebab9b3c2021d5fb057394b43b937394f244944
Instruction ID: d9fd17c16264c7e412f2e7ce090f4961e21e08bf7c53ab803a242f87b175e2b1
Opcode Fuzzy Hash: e9c17b2c012350d98718a43c5ebab9b3c2021d5fb057394b43b937394f244944
Instruction Fuzzy Hash: B111E732644208BFEF149F61CC05FDB37A9EFC9B68F024519F641B60D0D272A851CB60

Function 00D84C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D84C2E), ref: 00D84CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D84CB5

Strings

kernel32.dll, xrefs: 00D84C9E
GetNativeSystemInfo, xrefs: 00D84CAF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 403c50735dba43431ff468d14cc0741530b32f0772ac3d858e156b23f737136d
Instruction ID: 0163503cd0246183b095c234c6cb17eca2cbabc366a5538499c8d95baaa88d9c
Opcode Fuzzy Hash: 403c50735dba43431ff468d14cc0741530b32f0772ac3d858e156b23f737136d
Instruction Fuzzy Hash: 86D01730511723CFD730AF72DA1860676E9AF05791B16883AD886E6990EA74D8E0CF60

Function 00D84D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D84CE1,?), ref: 00D84DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D84DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00D84DAE
kernel32.dll, xrefs: 00D84D9D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6988f333a1f7ff3c79f007261e4928aa87f17376a546903d9fcd7a97f1f5e843
Instruction ID: 25be22d084d37fc926e8763eb7a72a163c1d04f5030b8f105b82bcf2cc388664
Opcode Fuzzy Hash: 6988f333a1f7ff3c79f007261e4928aa87f17376a546903d9fcd7a97f1f5e843
Instruction Fuzzy Hash: 66D01771550713CFD730AF32D808A4676E4AF09365F16883AD8C6E6990EB70D8D0CB60

Function 00D84D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D84D2E,?,00D84F4F,?,00E462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D84D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D84D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00D84D7B
kernel32.dll, xrefs: 00D84D6A

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 2942deceeaa628793d20136b16f2f0ad79c98481a35e3b414d28b858a9d11000
Instruction ID: 33e15d084dbf992453eede3ab63711cf329ef1f7505e40ed6d6e14d5565e5617
Opcode Fuzzy Hash: 2942deceeaa628793d20136b16f2f0ad79c98481a35e3b414d28b858a9d11000
Instruction Fuzzy Hash: 60D01770510713CFD730AF32D80861676E8BF15352B198C3AD886E6A90E671D8D0CF60

Function 00E01072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E012C1), ref: 00E01080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E01092

Strings

RegDeleteKeyExW, xrefs: 00E0108C
advapi32.dll, xrefs: 00E0107B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 7e75f6c0c64c4837ad69d59ddac5c920806ab6d86790c5b28f5dc8256da5d2d9
Instruction ID: 15275b2a22bf5f6503a6c5f00882f146ea98719aee7b66ff0bf3f11437b12582
Opcode Fuzzy Hash: 7e75f6c0c64c4837ad69d59ddac5c920806ab6d86790c5b28f5dc8256da5d2d9
Instruction Fuzzy Hash: 8ED01730510712CFD7309F36E818A1B7AE4AF09365F119D7AE8CAFA5A0E770C8C0CA50

Function 00DF93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00DF9009,?,00E0F910), ref: 00DF9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00DF9415

Strings

GetModuleHandleExW, xrefs: 00DF940F
kernel32.dll, xrefs: 00DF93FE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: cb02f789f27d0c2f023b8c76580beaae5d9689bdec0124b8796ec6f546ae6038
Instruction ID: 44c7ac8390041098ec0735beab8e072df0cbc8f64daf2830b2ef0f11bdc68c2b
Opcode Fuzzy Hash: cb02f789f27d0c2f023b8c76580beaae5d9689bdec0124b8796ec6f546ae6038
Instruction Fuzzy Hash: DBD0C73090031BDFC7319F32C908202B6E4BF14341B0AC83AE482E2990E670C8C0CA60

Function 00DD76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d99d55b8e4bd73c0eee361b82ed7056239c05cd51f5f7671c3b2f755ef3c468
Instruction ID: 43897b883afe3172101f341cfcbbb4b588c4d4368d681ff49c2860e220bf4e0b
Opcode Fuzzy Hash: 2d99d55b8e4bd73c0eee361b82ed7056239c05cd51f5f7671c3b2f755ef3c468
Instruction Fuzzy Hash: FEC15B75A04216EFCB14CF94C884AAEB7B5FF48710B1585DAE805EB351E730EE81DBA0

Function 00DFE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DFE3D2
CharLowerBuffW.USER32(?,?), ref: 00DFE415

Part of subcall function 00DFDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DFDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DFE615
_memmove.LIBCMT ref: 00DFE628

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 83f7274f8a47142a02c362a19d3b4f5f1dee1be0fca0dba3de051e0d78ba241e
Instruction ID: 5c40a246f27cb34f4e4830f542771085779418eb15049a2cf911984e0555b262
Opcode Fuzzy Hash: 83f7274f8a47142a02c362a19d3b4f5f1dee1be0fca0dba3de051e0d78ba241e
Instruction Fuzzy Hash: 38C18A716083058FC714DF28C48096ABBE4FF88718F19896DF9999B361D730E946CFA2

Function 00DF83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DF83D8
CoUninitialize.OLE32 ref: 00DF83E3

Part of subcall function 00DDDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00DDDAC5

VariantInit.OLEAUT32(?), ref: 00DF83EE
VariantClear.OLEAUT32(?), ref: 00DF86BF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 3b8d8c14948e2ba909ec6b82059fbbfc840dd0e888ea31efd99259e08ec3e4cb
Instruction ID: 6d43133303526f80b83c2ddb55bae582a78e4ed59ffb0dec423c1f972d217e48
Opcode Fuzzy Hash: 3b8d8c14948e2ba909ec6b82059fbbfc840dd0e888ea31efd99259e08ec3e4cb
Instruction Fuzzy Hash: B0A137752047059FCB10EF24C895B2AB7E5FF88314F098449FA9A9B3A1CB30ED45DB62

Function 00DD6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DD6E04
SysAllocString.OLEAUT32(00000000), ref: 00DD6EAD
VariantCopy.OLEAUT32 ref: 00DD6EDC
VariantClear.OLEAUT32(?), ref: 00DD6F03

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 18699f8b5bd0444f387f7c147b336b7dee71285017b693e811f349bd153ccb68
Instruction ID: 972db48c033a42f051ae5f09e083ba8952b225694212269c62e1248b29e7cae5
Opcode Fuzzy Hash: 18699f8b5bd0444f387f7c147b336b7dee71285017b693e811f349bd153ccb68
Instruction Fuzzy Hash: 07519330A087019ADB24AF75D891A3AB3E5EF48310F24881FE996DB3D1EA70D8409B75

Function 00E09A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0188F9E0,?), ref: 00E09AD2
ScreenToClient.USER32(00000002,00000002), ref: 00E09B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E09B72

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 86bf60451686d3a0da267faa25b3311bd25880c50b3c40840f9f0405c2e63a38
Instruction ID: 0a9fd623ff3204bcacd88f27d36bd00082635a74376db473d50f5b0c02dee2a2
Opcode Fuzzy Hash: 86bf60451686d3a0da267faa25b3311bd25880c50b3c40840f9f0405c2e63a38
Instruction Fuzzy Hash: 1B513F34A00209EFCF14DF68E8809AE7BB5FB55324F108159F855AB2D2D731AD91CF94

Function 00DF6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00DF6CE4
WSAGetLastError.WSOCK32(00000000), ref: 00DF6CF4

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DF6D58
WSAGetLastError.WSOCK32(00000000), ref: 00DF6D64

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 85122dcd18db39c795162e6ae967ff86de98d0cfb8e82a206cfdefe5307ace54
Instruction ID: b854cddbe18823b663c5a630627335d55589df3a134e0d2734f55a42d3dc622d
Opcode Fuzzy Hash: 85122dcd18db39c795162e6ae967ff86de98d0cfb8e82a206cfdefe5307ace54
Instruction Fuzzy Hash: 87418575740200AFEB25BF64DC96F3A77A5DB04B10F48C018FA599B2D2DA719D0187B1

Function 00DF672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E0F910), ref: 00DF67BA
_strlen.LIBCMT ref: 00DF67EC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a001552d27d2ab5d8c67d12b19e38a58d98ab64348c1a14606cefe31ae94d122
Instruction ID: 2ce4679ca957e294cc813632bd2580c40fe6ba4888f07bb40019b9fc50fdd901
Opcode Fuzzy Hash: a001552d27d2ab5d8c67d12b19e38a58d98ab64348c1a14606cefe31ae94d122
Instruction Fuzzy Hash: DD417F35A00108ABCB14FBA4DCD5EBEB7A9EF48350F158169FA159B292DB31ED44CB70

Function 00DEBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DEBB09
GetLastError.KERNEL32(?,00000000), ref: 00DEBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DEBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DEBB80

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d13644bd8eeb76023898fa44bd1c24862e812a5da5563f80de452fadfa6aa331
Instruction ID: 028fd2cfa6166acb03ab9b22c154a319e2a524d4ea325580cc0cbcba5da2344d
Opcode Fuzzy Hash: d13644bd8eeb76023898fa44bd1c24862e812a5da5563f80de452fadfa6aa331
Instruction Fuzzy Hash: 39412B39200650DFCF10FF25C594A6DBBE1EF49320B198499E88A9B762CB35FD41CBA1

Function 00E08AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E08B4D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: be6f7b159858bd66e1233d74d93ce5c3108a8ce65cf9f3c723e2b3b3462f7ba7
Instruction ID: 33ef6d1be104867b18b5efbd6fd509eaf12679019baf51f22448058c2ba9b3d4
Opcode Fuzzy Hash: be6f7b159858bd66e1233d74d93ce5c3108a8ce65cf9f3c723e2b3b3462f7ba7
Instruction Fuzzy Hash: 8F31F478600204BFEB209E18DE45FE937A4EB06314F246612FAC1F62E0CE31ADC08F51

Function 00E0ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E0AE1A
GetWindowRect.USER32(?,?), ref: 00E0AE90
PtInRect.USER32(?,?,00E0C304), ref: 00E0AEA0
MessageBeep.USER32(00000000), ref: 00E0AF11

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b97a20eb8a039de6af606e622aac984f00b7b0717c5abe2c87205dd76e6018de
Instruction ID: db88838150d4f64cdce391dfbde64d5db4d87964b94247bb2ce9a64e64a5250c
Opcode Fuzzy Hash: b97a20eb8a039de6af606e622aac984f00b7b0717c5abe2c87205dd76e6018de
Instruction Fuzzy Hash: 9741AE74600319DFCB15CF59C884BA97BF5FB4A340F2891B9E854AB291C731A8C6CF92

Function 00DE0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00DE1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00DE1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00DE10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00DE110B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 05be255acf0f858e74eeedf90bb2f071e4c599b64e7aa581073a7b30d325fb09
Instruction ID: 9f26698f8be82eee197f27c9537c6069626ed504fa972d093e6e5ad0fab298f1
Opcode Fuzzy Hash: 05be255acf0f858e74eeedf90bb2f071e4c599b64e7aa581073a7b30d325fb09
Instruction Fuzzy Hash: FF313534F446C8AEFB30AA678C05BFABBA9AB45320F08421AE591521D1C3758DD89771

Function 00DE1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00DE1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00DE1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00DE11F1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00DE1243

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: aa5d785a1f606fec1a5e9eb607c2f826bcc3f13d23c7fc372d972076d7158eac
Instruction ID: 1d59a26e35d2a0eb3b02edac6d772714512b234e9019fe5f9116b7055a563f31
Opcode Fuzzy Hash: aa5d785a1f606fec1a5e9eb607c2f826bcc3f13d23c7fc372d972076d7158eac
Instruction Fuzzy Hash: F8316834B403989EEF30AA678C057FE7BAAAB49310F08431AE281921D1C37589948775

Function 00DB6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00DB644B
__isleadbyte_l.LIBCMT ref: 00DB6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DB64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00DB64DD

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 065921297135fba94cc1c5ec26569313876e535b1a407d4f815a22c7d646f16d
Instruction ID: d41ac97ebf8814f327ea1a255393faa4bc5b805c515f9e64021d0106463198fc
Opcode Fuzzy Hash: 065921297135fba94cc1c5ec26569313876e535b1a407d4f815a22c7d646f16d
Instruction Fuzzy Hash: D131EF3160864AEFDB218F75C844BFA7BA5FF41310F194469F856871A1EB39D890DBB0

Function 00E05175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E05189

Part of subcall function 00DE387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DE3897
Part of subcall function 00DE387D: GetCurrentThreadId.KERNEL32 ref: 00DE389E
Part of subcall function 00DE387D: AttachThreadInput.USER32(00000000,?,00DE52A7), ref: 00DE38A5

GetCaretPos.USER32(?), ref: 00E0519A
ClientToScreen.USER32(00000000,?), ref: 00E051D5
GetForegroundWindow.USER32 ref: 00E051DB

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 79462f29cb17da7e8176e1425591c2db0574b29e532e0b283ea1c4dba7d9729a
Instruction ID: cbb5e063313f973eff220a5b4727c8c2b72a3067289c910df2e730370d08507a
Opcode Fuzzy Hash: 79462f29cb17da7e8176e1425591c2db0574b29e532e0b283ea1c4dba7d9729a
Instruction Fuzzy Hash: 8E313872900108AFCB10EFA5C895AEFB7FDEF88304F14406AE456E7241EA759E44CBB0

Function 00E0C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

GetCursorPos.USER32(?), ref: 00E0C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00DBBBFB,?,?,?,?,?), ref: 00E0C7D7
GetCursorPos.USER32(?), ref: 00E0C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00DBBBFB,?,?,?), ref: 00E0C85E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 36780888dd59f137e8778e731d7030253ea88b52e9405a7745507909b1b4eb4f
Instruction ID: 43cd3bcde2ce2841bf676333982b4d65b071ef67a9fd389551a794b6f6311691
Opcode Fuzzy Hash: 36780888dd59f137e8778e731d7030253ea88b52e9405a7745507909b1b4eb4f
Instruction Fuzzy Hash: 1E31E635500018AFCB29CF59CC98EEA7BB5EB0A310F144165F905A72A1D7316D91DF74

Function 00DA0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00DA0BF2

Part of subcall function 00D85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DE7B20,?,?,00000000), ref: 00D85B8C
Part of subcall function 00D85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DE7B20,?,?,00000000,?,?), ref: 00D85BB0

_fprintf.LIBCMT ref: 00DA0C29
OutputDebugStringW.KERNEL32(?), ref: 00DD6331

Part of subcall function 00DA4CDA: _flsall.LIBCMT ref: 00DA4CF3

__setmode.LIBCMT ref: 00DA0C5E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: ab3334fb12bccdfd6937d408fd2d19aaff62f920ada97e24f859210c1d2b46d4
Instruction ID: f8a613495da410b73c619c7e3826128e733dc90bff334cd872dad1838662f1b4
Opcode Fuzzy Hash: ab3334fb12bccdfd6937d408fd2d19aaff62f920ada97e24f859210c1d2b46d4
Instruction Fuzzy Hash: FD1129329042047FCB04B7B5AC479BEBB69DF86320F18015AF208671D2DFA19D969BF5

Function 00DD8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DD8669
Part of subcall function 00DD8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8673
Part of subcall function 00DD8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8682
Part of subcall function 00DD8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD8689
Part of subcall function 00DD8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DD869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00DD8BEB
_memcmp.LIBCMT ref: 00DD8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DD8C44
HeapFree.KERNEL32(00000000), ref: 00DD8C4B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 619a8324101f31b3eb8cf91d79ed357553271f94b575bdda371b68f1bf0771fb
Instruction ID: fd1460662803eb6ae89f8054b3cadf2cade3cbf463e97f16819edadae2cdc94a
Opcode Fuzzy Hash: 619a8324101f31b3eb8cf91d79ed357553271f94b575bdda371b68f1bf0771fb
Instruction Fuzzy Hash: 97219C71E11208EFDB11DFA8C944BEEB7B8EF40350F08409AE454A7240EB31AA46DB70

Function 00DF1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DF1A97

Part of subcall function 00DF1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DF1B40
Part of subcall function 00DF1B21: InternetCloseHandle.WININET(00000000), ref: 00DF1BDD

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 499bf3b34715c286618f681e1c7e35bd728bd7a634a5a8365535eeac8325045e
Instruction ID: 648fed2621d0f1ae92547382daa7f70643ed32d41d8518d60731e429edcfd607
Opcode Fuzzy Hash: 499bf3b34715c286618f681e1c7e35bd728bd7a634a5a8365535eeac8325045e
Instruction Fuzzy Hash: 2C21C239200609FFDB119F608C00FBAB7A9FF45700F1A801AFB51A6650E771D8259BB1

Function 00DDE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00DDE1C4,?,?,?,00DDEFB7,00000000,000000EF,00000119,?,?), ref: 00DDF5BC
Part of subcall function 00DDF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00DDF5E2
Part of subcall function 00DDF5AD: lstrcmpiW.KERNEL32(00000000,?,00DDE1C4,?,?,?,00DDEFB7,00000000,000000EF,00000119,?,?), ref: 00DDF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00DDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00DDE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00DDE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00DDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00DDE237

Strings

cdecl, xrefs: 00DDE22E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: fa8acd51cfcf0c5ff46bbf0c3abd370b3f695866a08a81bcfae0ba9a4db4880b
Instruction ID: 8ac7264d66dbbb1891a6e09efb9dafed59c1358d52299af68e1679cffa5acc93
Opcode Fuzzy Hash: fa8acd51cfcf0c5ff46bbf0c3abd370b3f695866a08a81bcfae0ba9a4db4880b
Instruction Fuzzy Hash: E5117C3A200345EFCB25AF64DC4597A7BB8FF89350B44412AE816CB2A0EB71A85197B4

Function 00DB5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00DB5351

Part of subcall function 00DA594C: __FF_MSGBANNER.LIBCMT ref: 00DA5963
Part of subcall function 00DA594C: __NMSG_WRITE.LIBCMT ref: 00DA596A
Part of subcall function 00DA594C: RtlAllocateHeap.NTDLL(01870000,00000000,00000001,00000000,?,?,?,00DA1013,?), ref: 00DA598F

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6344e0ae27bd5bf54651ef39ce0625c8ad363b0b5c401cabba875cbb4efd9753
Instruction ID: 2aaf8f4ed66c4169410ef037ab4adc142463c0844cce10563f58b18a93a198a5
Opcode Fuzzy Hash: 6344e0ae27bd5bf54651ef39ce0625c8ad363b0b5c401cabba875cbb4efd9753
Instruction Fuzzy Hash: 4E11C432904A15EECF313F75B80579D37D4DF163A0B240429FA46AA391DFB6C9519770

Function 00D84531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D84560

Part of subcall function 00D8410D: _memset.LIBCMT ref: 00D8418D
Part of subcall function 00D8410D: _wcscpy.LIBCMT ref: 00D841E1
Part of subcall function 00D8410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D841F1

KillTimer.USER32(?,00000001,?,?), ref: 00D845B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D845C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DBD6CE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: b3ac3456c7815e9c877b8e461678e2781bcd2b1080815a0f5b1498dd16da2047
Instruction ID: 316566ae58957ea6409a78ee26cc83d2711b9b5b0f4cea64d3c99fe2cf84f253
Opcode Fuzzy Hash: b3ac3456c7815e9c877b8e461678e2781bcd2b1080815a0f5b1498dd16da2047
Instruction Fuzzy Hash: EE21FC70904788EFE7329B24DC45BEBBBED9F01304F08009EE69E56141D7745A88CB61

Function 00DF667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DE7B20,?,?,00000000), ref: 00D85B8C
Part of subcall function 00D85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DE7B20,?,?,00000000,?,?), ref: 00D85BB0

gethostbyname.WSOCK32(?,?,?), ref: 00DF66AC
WSAGetLastError.WSOCK32(00000000), ref: 00DF66B7
_memmove.LIBCMT ref: 00DF66E4
inet_ntoa.WSOCK32(?), ref: 00DF66EF

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: c43735b44849176315c7c0bd91b49156136f9e48a6f057c9b8d7638811d633ed
Instruction ID: 7bb67896a89bbd04e8c30c0e09fd197de30361147ec6957468af1982310bd8f2
Opcode Fuzzy Hash: c43735b44849176315c7c0bd91b49156136f9e48a6f057c9b8d7638811d633ed
Instruction Fuzzy Hash: 16114936500509AFCB04FBA4ED96DEEB7B8EF04310B188065F506A72A1DB31AE54DBB1

Function 00DD9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DD9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DD9086

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd327bd036dedae22cd315d43810d2e0cec9a4ffaab98207392b9a1e27a1c1d6
Instruction ID: 000a21ef2a746885f4bacf774fd6acc5a84cb0303394e2e0042ac3f790d1ebe3
Opcode Fuzzy Hash: bd327bd036dedae22cd315d43810d2e0cec9a4ffaab98207392b9a1e27a1c1d6
Instruction Fuzzy Hash: 71115E79900218FFDB10DFA5CC84EADFB74FB48310F204096E904B7250D6726E51DBA0

Function 00D81290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00D82612: GetWindowLongW.USER32(?,000000EB), ref: 00D82623

DefDlgProcW.USER32(?,00000020,?), ref: 00D812D8
GetClientRect.USER32(?,?), ref: 00DBB84B
GetCursorPos.USER32(?), ref: 00DBB855
ScreenToClient.USER32(?,?), ref: 00DBB860

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 14058dca6207451524642ceda11057ae1119028e87bce0f9f2cbd09958b49565
Instruction ID: 7f9303c89fbec18f413262a30d45836acc8814d48a4a06c2f353373673d41c57
Opcode Fuzzy Hash: 14058dca6207451524642ceda11057ae1119028e87bce0f9f2cbd09958b49565
Instruction Fuzzy Hash: EB112839900119BFCB10EF94E886AFE77B8FB05310F000456F941E7251D731BA9A8BB9

Function 00DE1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DE01FD,?,00DE1250,?,00008000), ref: 00DE166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00DE01FD,?,00DE1250,?,00008000), ref: 00DE1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DE01FD,?,00DE1250,?,00008000), ref: 00DE169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00DE01FD,?,00DE1250,?,00008000), ref: 00DE16D1

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 625599f8517fab8fee22a72dd82f36f524dbfbac7a809cc407443c1995413ada
Instruction ID: e14bb8c074ecafc8f3723ee4f84769c3433ffbea1113e40400ed5207320f4c1f
Opcode Fuzzy Hash: 625599f8517fab8fee22a72dd82f36f524dbfbac7a809cc407443c1995413ada
Instruction Fuzzy Hash: 0F117C35E0151CDBCF00AFA6D848AEEBF78FF09701F084059E941B6240CB3195A08BE6

Function 00DB7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00DB722B

Part of subcall function 00DB7912: __fltout2.LIBCMT ref: 00DB793B

__cftog_l.LIBCMT ref: 00DB7251
__cftoe_l.LIBCMT ref: 00DB7283

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: c788431b71b13f3c426eddbfc0530f83d16a0189ba5ae731be71e46ceb2d7399
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 7B014C3604814AFBCF125E84CC01CEE3F62FFA9355F598615FA1A68031D237C9B1ABA5

Function 00E0B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E0B59E
ScreenToClient.USER32(?,?), ref: 00E0B5B6
ScreenToClient.USER32(?,?), ref: 00E0B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E0B5F5

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e21a54384fa4d4ed75427c1899e2f8a49c8d82828ebb8f290e9d2c23e1c049c9
Instruction ID: 4bc1ccfe1cfc0a119325c329bf90477e3fe05cc52b341f003632ed71623a17bd
Opcode Fuzzy Hash: e21a54384fa4d4ed75427c1899e2f8a49c8d82828ebb8f290e9d2c23e1c049c9
Instruction Fuzzy Hash: 4E1146B5D00209EFDB51CF99D8449EEFBB9FB08310F104166E915E3620D735AA658F91

Function 00E0B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E0B8FE
_memset.LIBCMT ref: 00E0B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E47F20,00E47F64), ref: 00E0B93C
CloseHandle.KERNEL32 ref: 00E0B94E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 4c66b0324a1a9902c8caa89aa3b6153d1cdc6cd50e41b24814ad134e6e873af6
Instruction ID: a344863e571969642dd054df971851888dc04fef6ea87b8ab1b4daee5c2f2464
Opcode Fuzzy Hash: 4c66b0324a1a9902c8caa89aa3b6153d1cdc6cd50e41b24814ad134e6e873af6
Instruction Fuzzy Hash: 86F054B56443007FE2102B62AC06F7B7A5CEB4A755F001420FB48F5192D776495987F9

Function 00DE6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00DE6E88

Part of subcall function 00DE794E: _memset.LIBCMT ref: 00DE7983

_memmove.LIBCMT ref: 00DE6EAB
_memset.LIBCMT ref: 00DE6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00DE6EC8

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 5366858e7df173778b07a10668e842d9d8ad1998290f230c7eab87591476f35e
Instruction ID: 1b9ac368c3d35c98a5e0135154dd93e787449a5e4b001c805eaf91153276ff44
Opcode Fuzzy Hash: 5366858e7df173778b07a10668e842d9d8ad1998290f230c7eab87591476f35e
Instruction Fuzzy Hash: 34F0543A200200ABCF116F55DC85A49BB2AEF45320F048061FE085E227C731E951DBB5

Function 00E0C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D8134D
Part of subcall function 00D812F3: SelectObject.GDI32(?,00000000), ref: 00D8135C
Part of subcall function 00D812F3: BeginPath.GDI32(?), ref: 00D81373
Part of subcall function 00D812F3: SelectObject.GDI32(?,00000000), ref: 00D8139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E0C030
LineTo.GDI32(00000000,?,?), ref: 00E0C03D
EndPath.GDI32(00000000), ref: 00E0C04D
StrokePath.GDI32(00000000), ref: 00E0C05B

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2a08b650a4da37232186a87df02e93cca69943072e701350b2dd99cd05e03b93
Instruction ID: 706e44cea6d4456ee5a6eb0538cccae0c615afabff71a949fe76064198e235aa
Opcode Fuzzy Hash: 2a08b650a4da37232186a87df02e93cca69943072e701350b2dd99cd05e03b93
Instruction Fuzzy Hash: 3FF05E35001259FFDB226F56AC0AFCE3F59AF1A311F148100FA11714E287B655A9DBE5

Function 00DDA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00DDA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DDA3AC
GetCurrentThreadId.KERNEL32 ref: 00DDA3B3
AttachThreadInput.USER32(00000000), ref: 00DDA3BA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2b2c8f6435dd837b3d2775bdae0c4c83056a03ecbf821f0aa90155f80d20840f
Instruction ID: 8673481aa6a3b124e2667af9f2b349b3532dd06a71abddbcb7ffdcdd53289474
Opcode Fuzzy Hash: 2b2c8f6435dd837b3d2775bdae0c4c83056a03ecbf821f0aa90155f80d20840f
Instruction Fuzzy Hash: 52E03971541328BADB306BA2EC0CED73F1CEF167A1F048025F509A4460CA72C594CBF0

Function 00D82218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D82231
SetTextColor.GDI32(?,000000FF), ref: 00D8223B
SetBkMode.GDI32(?,00000001), ref: 00D82250
GetStockObject.GDI32(00000005), ref: 00D82258
GetWindowDC.USER32(?,00000000), ref: 00DBC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DBC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00DBC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00DBC112
GetPixel.GDI32(00000000,?,?), ref: 00DBC132
ReleaseDC.USER32(?,00000000), ref: 00DBC13D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 58ea476464f3823ded3640fa376db7e3bd02e4cf7f005d4e4edd9bb0def61687
Instruction ID: eaff3ae3a60cc609a064cada4cec1ce4561436f05172e633caefdfe0087d3eea
Opcode Fuzzy Hash: 58ea476464f3823ded3640fa376db7e3bd02e4cf7f005d4e4edd9bb0def61687
Instruction Fuzzy Hash: 5BE06D32100244EEDB315FA9FC0D7D83B10EB15332F048366FA69680E2877249E4DB21

Function 00DD8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00DD8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00DD882E), ref: 00DD8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00DD882E), ref: 00DD8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00DD882E), ref: 00DD8C7E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: edcb49c2cd20ac272a4a4d9ef3cd84000b7b3d14e50ad54385ec01aad48b978e
Instruction ID: 4ef8357d21b76061312d6eab633513917c3cb6f1307e0452b83eaa50f4c0048f
Opcode Fuzzy Hash: edcb49c2cd20ac272a4a4d9ef3cd84000b7b3d14e50ad54385ec01aad48b978e
Instruction Fuzzy Hash: 49E08636642211DFD7305FB66D0CB563BBCEF50792F084828F245E9050DA358499DB71

Function 00DC2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DC2187
GetDC.USER32(00000000), ref: 00DC2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DC21B1
ReleaseDC.USER32(?), ref: 00DC21D2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 017beb73655a8bbd2fa5b2546d6a8e0e925fb45b7e2354d22ffc1c2581da76ee
Instruction ID: d0b7881d09877a25d7fd62a724383b7b1e89d9a47793598a5d5cf0b7b15e7008
Opcode Fuzzy Hash: 017beb73655a8bbd2fa5b2546d6a8e0e925fb45b7e2354d22ffc1c2581da76ee
Instruction Fuzzy Hash: A6E09274800604DFCF109F61D808B6D7BF1EB1C310F108015F886A3220CB3680919F50

Function 00DC219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00DC219B
GetDC.USER32(00000000), ref: 00DC21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00DC21B1
ReleaseDC.USER32(?), ref: 00DC21D2

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1563e97c827bb76c3f86634a64b375915f0ca6b870c34336e28748a271697ff5
Instruction ID: 6a700d5f89979b1ece6dcc052c50c1e17ac18f58971bcf0b82cc2d0ceca3e661
Opcode Fuzzy Hash: 1563e97c827bb76c3f86634a64b375915f0ca6b870c34336e28748a271697ff5
Instruction Fuzzy Hash: 68E01AB5800604EFCF61AFB1D80869D7BF5EB5C310F108025F99AA7620CB7A91959F90

Function 00D863A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00D863AE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 565cccda47658ff02f26f7e668ff3f52ce3bbadd1b90edb3685bea4ff378a472
Instruction ID: ea95a3614713074a8fc129a1d5904649de529242514fd533dfb8054d73d0d8aa
Opcode Fuzzy Hash: 565cccda47658ff02f26f7e668ff3f52ce3bbadd1b90edb3685bea4ff378a472
Instruction Fuzzy Hash: 6FB19F719042099BCF24FF98C8819EEBBB5FF44720F544066E946A7295EB30DE81CBB1

Function 00DFB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00DFB2C3

Strings

xr, xrefs: 00DFB325
xr, xrefs: 00DFB2F9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: dcccb1a500ead5a69a7710491655357ad147498a5594ad89e5cbccf030ab1ea3
Instruction ID: 1bfe7dbcd37813a3672e8e5c334bd469845033ff6fcf206686c01ddc7633c0e1
Opcode Fuzzy Hash: dcccb1a500ead5a69a7710491655357ad147498a5594ad89e5cbccf030ab1ea3
Instruction Fuzzy Hash: CDB17F74A00209AFCB14EF54C891EBAB7B9FF58314F19C45AFA459B292DB70E941CB70

Function 00DEB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9FEC6: _wcscpy.LIBCMT ref: 00D9FEE9

Part of subcall function 00D89997: __itow.LIBCMT ref: 00D899C2
Part of subcall function 00D89997: __swprintf.LIBCMT ref: 00D89A0C

__wcsnicmp.LIBCMT ref: 00DEB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DEB361

Strings

LPT, xrefs: 00DEB292

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: c388158972a8162b59fcab0322e80d27e798e2e67ccba17608a9c5d8d3c55dd7
Instruction ID: 1d1bf96908959cad4f7b4b2485666c9e87bee9cef5df4393e5997ea7c81fe7d2
Opcode Fuzzy Hash: c388158972a8162b59fcab0322e80d27e798e2e67ccba17608a9c5d8d3c55dd7
Instruction Fuzzy Hash: DF616075A00215AFCB14EF95C896EBEB7B4EF08320F15406AF546AB291DB70BE40CB74

Function 00D92AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D92AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D92AE1

Strings

@, xrefs: 00D92AD5

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d5304febf9c0e0f02c60fa43081cac7263bac7a9ebf9d0e8f1f0126cdc44f266
Instruction ID: 06cf295c2d9b7ea78934b562a09606a77b12031cc54c0150b6e144686f8a8502
Opcode Fuzzy Hash: d5304febf9c0e0f02c60fa43081cac7263bac7a9ebf9d0e8f1f0126cdc44f266
Instruction Fuzzy Hash: 0D5154724187449BD320BF50D896BABBBE8FF84314F96885DF2DA510A1DB308529CB26

Function 00DE99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D8506B: __fread_nolock.LIBCMT ref: 00D85089

_wcscmp.LIBCMT ref: 00DE9AAE
_wcscmp.LIBCMT ref: 00DE9AC1

Strings

FILE, xrefs: 00DE99FA

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 37b9760d384867680b40a7d03af9d658ed2cf4764572cdfefd0a14637dc8a644
Instruction ID: 844ebfdf48d62edae40d0f7680128137d0988cf3ee92945017fbdfd9cf44a544
Opcode Fuzzy Hash: 37b9760d384867680b40a7d03af9d658ed2cf4764572cdfefd0a14637dc8a644
Instruction Fuzzy Hash: 1F41D471A00649BADF20AAA5DC86FEFBBFDDF45710F000079B904F7185DA75AA0487B1

Function 00DC099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00DC09A9

Strings

Dt, xrefs: 00D8A2B1
Dt, xrefs: 00D8A477

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: e18e780dbc99342875c3faa99ecf75f65bbe17941fb6879f65bddf2eecf52720
Instruction ID: 8a5bf98d728366468f7fee5eecf51430d48a86a6429ae282d3c4d135ebfce67d
Opcode Fuzzy Hash: e18e780dbc99342875c3faa99ecf75f65bbe17941fb6879f65bddf2eecf52720
Instruction Fuzzy Hash: 9A51F778608342CFD754DF19C080A2ABBF2BB99354F59585EE9858B321D331EC85CBA2

Function 00DF2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DF2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DF28C8

Strings

|, xrefs: 00DF2899

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 98eec2da9e318abfe9a28f164f39f913b9414c72f0ab7e1c209a8056deffa56a
Instruction ID: f35255e283f4009b6a46c3c8ec647180b97c7dbfc066dd911eb6e4f7b82f1cef
Opcode Fuzzy Hash: 98eec2da9e318abfe9a28f164f39f913b9414c72f0ab7e1c209a8056deffa56a
Instruction Fuzzy Hash: 16311871800119AFCF01AFA1DC85EEEBFB9FF08300F144029F915A6166DA319A56DFB1

Function 00E06CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E06D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E06DC2

Strings

static, xrefs: 00E06D22

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: f3ad7272435ae347e386fbb41bd90eb96f86ff7b361a085967fd0515fe55af0e
Instruction ID: f3d8cb0af4ca88b0bc0925cb0eaa592fbe314073e0e9b4bed851f842d9747fb2
Opcode Fuzzy Hash: f3ad7272435ae347e386fbb41bd90eb96f86ff7b361a085967fd0515fe55af0e
Instruction Fuzzy Hash: 37318171210604AEEB10AF64CC80BFB77B9FF48724F109519F995A7190DB31ACA5DB60

Function 00DE2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DE2E3B

Strings

0, xrefs: 00DE2DF9

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 816057e595f0fa278c80597c4a9de429a909e8a0fa3dfb1e59e3b60a6dc66d79
Instruction ID: 7dfd5e6b7444205693ac80335b9d56d69915aa5189604c3475f149b5c79ca77e
Opcode Fuzzy Hash: 816057e595f0fa278c80597c4a9de429a909e8a0fa3dfb1e59e3b60a6dc66d79
Instruction Fuzzy Hash: F731F531600355ABEB24AF4AD845BBEBBBDFF05750F180069F985A61A0E7709944CB70

Function 00E06943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E069D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E069DB

Strings

Combobox, xrefs: 00E0699D

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 538e8086fa34bf570feeda4df6b20da07af175750c7f52427ec530a997774c2c
Instruction ID: b5ed519728d9bddc4a351622d59157e8a7b0a7421b7dedd0b085745ab27035d2
Opcode Fuzzy Hash: 538e8086fa34bf570feeda4df6b20da07af175750c7f52427ec530a997774c2c
Instruction Fuzzy Hash: 2511B2717002086FEF119F14CC80FEB376AEB893A8F515225F958BB2D0D6719CA187A0

Function 00E06E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D81D73
Part of subcall function 00D81D35: GetStockObject.GDI32(00000011), ref: 00D81D87
Part of subcall function 00D81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D81D91

GetWindowRect.USER32(00000000,?), ref: 00E06EE0
GetSysColor.USER32(00000012), ref: 00E06EFA

Strings

static, xrefs: 00E06EBD

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d8aeff7dd478199d034a367a973877a854b249ed6ca45c04c6b472263ff19bf9
Instruction ID: b08b9dfb0cd9a1d5210f90d666b10cbf8270aa858e507cb8f4655ea5ce2aee02
Opcode Fuzzy Hash: d8aeff7dd478199d034a367a973877a854b249ed6ca45c04c6b472263ff19bf9
Instruction Fuzzy Hash: E8216D7261020AAFDB04DFA8DC45AFA7BB8FB08314F005529FD55E3190D735E8A1DB60

Function 00E06B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E06C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E06C20

Strings

edit, xrefs: 00E06BF5

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 10af635301ae2114a4d7d1e7c7304b8cde52dd2029df70ae98287b59c6a74d38
Instruction ID: 12d73535f29f78ea48c7ef24d1b45bdbfa978c619306e22908f221c63261ebda
Opcode Fuzzy Hash: 10af635301ae2114a4d7d1e7c7304b8cde52dd2029df70ae98287b59c6a74d38
Instruction Fuzzy Hash: 68116AB1500208AFEB209E64DC85BEA37A9EB05378F605724F961E71E0C776DCE59B60

Function 00DE2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DE2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00DE2F30

Strings

0, xrefs: 00DE2F07

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6e15bc310e1a465ca91d47a4764be2b1b09d97c18f2c345d0213c2df5d8cdbed
Instruction ID: 6ebe07bc4ed1642f1f0c8c9f45f9d2fdedb2dbb91aee960392e0da3eb3bd7ade
Opcode Fuzzy Hash: 6e15bc310e1a465ca91d47a4764be2b1b09d97c18f2c345d0213c2df5d8cdbed
Instruction Fuzzy Hash: A2118E319012A4ABDB24EA5BDC44BBD77BDEF06714F1800A5F894B72A0D7B0ED0987A1

Function 00DF24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DF2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DF2549

Strings

<local>, xrefs: 00DF2511

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d95c03ad4111f8c017d7471a6dd078582488aae7b0a5f9c1249a50ed8fcdf7a1
Instruction ID: 53aea42c4abb604a00c9a7164ecff6b2afffb772304224c53941950cca7315b6
Opcode Fuzzy Hash: d95c03ad4111f8c017d7471a6dd078582488aae7b0a5f9c1249a50ed8fcdf7a1
Instruction Fuzzy Hash: 2B1132B0101229BEDB248F118C99EBBFF68FF16360F11C12AFA4452200D2B0A981CAF0

Function 00DF80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00DF80C8,?,00000000,?,?), ref: 00DF8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DF80CB
htons.WSOCK32(00000000,?,00000000), ref: 00DF8108

Strings

255.255.255.255, xrefs: 00DF80E3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 2570780c668d2d09e93f35d21a19c0be03abd35b1f2e615cac8f396de5d27c70
Instruction ID: cd461957e953e2e4bae55a9815fc4d99ebd8be1eb929b5590acf24e0d685c392
Opcode Fuzzy Hash: 2570780c668d2d09e93f35d21a19c0be03abd35b1f2e615cac8f396de5d27c70
Instruction Fuzzy Hash: BD11CE34200309ABCB20AF64DC86BBDB364EF04320F148627EA11A7291DA72A815D7B2

Function 00D90A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D83C26,00E462F8,?,?,?), ref: 00D90ACE

Part of subcall function 00D87D2C: _memmove.LIBCMT ref: 00D87D66

_wcscat.LIBCMT ref: 00DC50E1

Strings

c, xrefs: 00D90B0E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: bb8c4073d3028e6ea11e38aee065c9555cf60c5ebefefbed7c53773f34897c55
Instruction ID: 251339e411b7ab590736a06e904971a351e50aedbf9bf15f4fd5f41a5ce19fbe
Opcode Fuzzy Hash: bb8c4073d3028e6ea11e38aee065c9555cf60c5ebefefbed7c53773f34897c55
Instruction Fuzzy Hash: FF11A535A04208DECF10FB64EC02ED977F8EF49354B1040A5B99CE7241EA70EA898731

Function 00DD92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00DDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DDB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DD9355

Strings

ListBox, xrefs: 00DD931F
ComboBox, xrefs: 00DD92F4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b1076f969f35a1589acd69580f51fb5791e6590a65748e43d2e8388478c30c65
Instruction ID: 8163ad0be2080d596688d10293c496f4fea20319b09164e740c50d77f7f87d78
Opcode Fuzzy Hash: b1076f969f35a1589acd69580f51fb5791e6590a65748e43d2e8388478c30c65
Instruction Fuzzy Hash: D9015275A45214ABCB04FB65CC95CFEB769FF06720B14061AF972673D2DB3299088770

Function 00DD91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00DDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DDB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00DD924D

Strings

ListBox, xrefs: 00DD9217
ComboBox, xrefs: 00DD91EC

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: a460ed9dea1cd36d1bdd369ba17c0dd0ba9b8d17f570d9f3dd6aa48dff1b2588
Instruction ID: a25a380aad71d4d8489cae32204e4386a1a1ee03f1bb698ab17c30db4a1fa432
Opcode Fuzzy Hash: a460ed9dea1cd36d1bdd369ba17c0dd0ba9b8d17f570d9f3dd6aa48dff1b2588
Instruction Fuzzy Hash: 3E017575A412047BCB14FBA0C996DFEB7A8DF15710F540116B512672C1DB12AE089771

Function 00DD9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D87F41: _memmove.LIBCMT ref: 00D87F82

Part of subcall function 00DDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00DDB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00DD92D0

Strings

ListBox, xrefs: 00DD929C
ComboBox, xrefs: 00DD9271

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 794c20b9811f5534eb2c320c706dda0c2de330927b037c400917cea5f2c5e3cc
Instruction ID: 802b713a1a2bc561181963eb1b2c1a9d4317ba90c3d865ec99bc56e22c31399b
Opcode Fuzzy Hash: 794c20b9811f5534eb2c320c706dda0c2de330927b037c400917cea5f2c5e3cc
Instruction Fuzzy Hash: 83018471A4120477CB04FBA0C992DFEBBA8DF11710F640116B91263282DB229E0892B5

Function 00DA6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00DA6DD0
__calloc_crt.LIBCMT ref: 00DA6DE9

Strings

@R, xrefs: 00DA6E00

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: 4ea364abe4c227377069bae089be54ee585a6829a0d0fca3906212eabd3a6eba
Instruction ID: 9bbae5b0d1a3dc2710b8a409668e98a1ec30e885d50de91cda799cc93a787aca
Opcode Fuzzy Hash: 4ea364abe4c227377069bae089be54ee585a6829a0d0fca3906212eabd3a6eba
Instruction Fuzzy Hash: FCF06875705716EFFB24CF2BFD016512795E743764F184426F100EA1E1EB70C8469675

Function 00DE51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DE51E8
_wcscmp.LIBCMT ref: 00DE51FA

Strings

#32770, xrefs: 00DE51F4

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: d084787c7311a7018075c0078f161fa54bebcd1483f0269d1e402cb111024e21
Instruction ID: 19213a26ad3811eebf12b6ee0106edbe94469d4c6c583cc0510407812ca6dc08
Opcode Fuzzy Hash: d084787c7311a7018075c0078f161fa54bebcd1483f0269d1e402cb111024e21
Instruction Fuzzy Hash: C7E0613390032C1BD720AA96AC09F97F7ACEB41771F000167FD10E3050E660A94587F1

Function 00DD81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DD81CA

Part of subcall function 00DA3598: _doexit.LIBCMT ref: 00DA35A2

Strings

AutoIt, xrefs: 00DD81BE
Error allocating memory., xrefs: 00DD81C3

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: af0ec8c9c9f7403fd8836120fba1ff23a666d32aa7c108e751aa8e9ef1da568b
Instruction ID: 3f8559ca16aa47ede1eaaa6bf40e5d3662d1bd53c4980e3fd1006eed98d058a0
Opcode Fuzzy Hash: af0ec8c9c9f7403fd8836120fba1ff23a666d32aa7c108e751aa8e9ef1da568b
Instruction Fuzzy Hash: FCD0123228531936D21532A96C0BBC679488B05B52F044016BB08655D38AD295D542F9

Function 00DBB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DBB564: _memset.LIBCMT ref: 00DBB571

Part of subcall function 00DA0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DBB540,?,?,?,00D8100A), ref: 00DA0B89

IsDebuggerPresent.KERNEL32(?,?,?,00D8100A), ref: 00DBB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D8100A), ref: 00DBB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DBB54E

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c1dae7f7d65c07309e7a3989e9c9c156e84c8e82b1152e5a39e7bbbcacff7add
Instruction ID: 002d26372960f017b444f236b372881bc51aca847c9907c754d66cdfb025691c
Opcode Fuzzy Hash: c1dae7f7d65c07309e7a3989e9c9c156e84c8e82b1152e5a39e7bbbcacff7add
Instruction Fuzzy Hash: 70E03970200310CED731DF29E5043867BE0AB00724F04892DE446D2660DBB5E448CB72

Function 00E05BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E05BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E05C08

Part of subcall function 00DE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DE555E

Strings

Shell_TrayWnd, xrefs: 00E05BEE

Memory Dump Source

Source File: 00000000.00000002.1648564666.0000000000D81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000000.00000002.1648286791.0000000000D80000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E0F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648620438.0000000000E35000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648665920.0000000000E3F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1648683647.0000000000E48000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_rnoahcrypter.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8a7be5f15484a72476029aa9ffc105f403d3ae7151c762f372710d3d3fdd0816
Instruction ID: 8b9419a94d8730fc5f68d33d5b529b38a26e5c7f9abb4e41ab2b51b0aae746af
Opcode Fuzzy Hash: 8a7be5f15484a72476029aa9ffc105f403d3ae7151c762f372710d3d3fdd0816
Instruction Fuzzy Hash: 43D0C931388311BAE778BB71BC1FF976A14AB10B51F040839F645BA1D4D9E55894C6A0

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rnoahcrypter.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut21A8.tmp

C:\Users\user\AppData\Local\Temp\aut2216.tmp

C:\Users\user\AppData\Local\Temp\derogates

C:\Users\user\AppData\Local\Temp\nonplacental

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
rnoahcrypter.exe

Function 00D83B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00D84AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00D84FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00DE93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00D83015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00D83041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00D871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00D83633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00D83A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00D83778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00D8F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 017925E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00D839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 017923B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144
fileCOMMON

Function 00D8410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre