Edit tour

Windows Analysis Report
XX(1).exe

Overview

General Information

Sample name:	XX(1).exe
Analysis ID:	1467927
MD5:	ceee05227b74e5a1e6d89f3b1cdfd24b
SHA1:	7c7038b477f3d68226abf7eb1f8b4e9b9cfae331
SHA256:	0f30bd5220de4c7fb2d426a392b5fcdbf1062b33a65761cb2af0d4732a2b2c2e
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

XX(1).exe (PID: 7432 cmdline: "C:\Users\user\Desktop\XX(1).exe" MD5: CEEE05227B74E5A1E6D89F3B1CDFD24B)

RegSvcs.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\XX(1).exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.magnatextile.com", "Username": "owais@magnatextile.com", "Password": "ow%{&}mti{&}$is"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3f753:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3f7c5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3f84f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3f8e1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3f94b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3f9bd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3fa53:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3fae3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x4063b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x406ad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x40737:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x407c9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x40833:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x408a5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x4093b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x409cb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1643879662.0000000003760000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 4B 88 44 24 2B 88 44 24 2F B0 2A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2882112766.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 4B 88 44 24 2B 88 44 24 2F B0 2A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000001.00000002.2883398358.00000000034A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7448	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7448	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 164.68.127.9, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7448, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: XX(1).exe.7432.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.magnatextile.com", "Username": "owais@magnatextile.com", "Password": "ow%{&}mti{&}$is"}

Multi AV Scanner detection for submitted file

Source: XX(1).exe	ReversingLabs: Detection: 54%
Source: XX(1).exe	Virustotal: Detection: 28%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: XX(1).exe

Joe Sandbox ML: detected

Source: XX(1).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: XX(1).exe, 00000000.00000003.1642075192.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, XX(1).exe, 00000000.00000003.1642189183.0000000003D00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: XX(1).exe, 00000000.00000003.1642075192.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, XX(1).exe, 00000000.00000003.1642189183.0000000003D00000.00000004.00001000.00020000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 164.68.127.9:587

Source: Joe Sandbox View	IP Address: 164.68.127.9 164.68.127.9
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: CONTABODE CONTABODE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 164.68.127.9:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.magnatextile.com

Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2882367550.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://magnatextile.com
Source: RegSvcs.exe, 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.magnatextile.com
Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2882367550.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1643879662.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.2882112766.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: XX(1).exe, 00000000.00000002.1643106267.0000000000AA5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b1f7f9aa-d
Source: XX(1).exe, 00000000.00000002.1643106267.0000000000AA5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_39e19b78-c
Source: XX(1).exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7bd59caf-6
Source: XX(1).exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e925b12e-d

Source: XX(1).exe, 00000000.00000003.1642538265.0000000003E2D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs XX(1).exe
Source: XX(1).exe, 00000000.00000003.1640439920.0000000003C33000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs XX(1).exe
Source: XX(1).exe, 00000000.00000002.1643879662.0000000003760000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename897bbe9e-ee7c-4e38-aaf9-090ed3100fb6.exe4 vs XX(1).exe

Source: XX(1).exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1643879662.0000000003760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.2882112766.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\XX(1).exe

File created: C:\Users\user\AppData\Local\Temp\autA32.tmp

Jump to behavior

Source: XX(1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\XX(1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: XX(1).exe	ReversingLabs: Detection: 54%
Source: XX(1).exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\XX(1).exe "C:\Users\user\Desktop\XX(1).exe"
Source: C:\Users\user\Desktop\XX(1).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\XX(1).exe"
Source: C:\Users\user\Desktop\XX(1).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\XX(1).exe"	Jump to behavior

Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: XX(1).exe

Static file information: File size 1171456 > 1048576

Source: XX(1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XX(1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XX(1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XX(1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XX(1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XX(1).exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: XX(1).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: XX(1).exe, 00000000.00000003.1642075192.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, XX(1).exe, 00000000.00000003.1642189183.0000000003D00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: XX(1).exe, 00000000.00000003.1642075192.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, XX(1).exe, 00000000.00000003.1642189183.0000000003D00000.00000004.00001000.00020000.00000000.sdmp

Source: XX(1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: XX(1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: XX(1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: XX(1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: XX(1).exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\XX(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\XX(1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\XX(1).exe

API/Special instruction interceptor: Address: 37532B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4978			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 898			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\XX(1).exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\XX(1).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1162008

Jump to behavior

Source: C:\Users\user\Desktop\XX(1).exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\XX(1).exe"

Jump to behavior

Source: XX(1).exe

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7448, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7448, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883398358.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7448, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	124 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
XX(1).exe	54%	ReversingLabs	Win32.Trojan.Strab
XX(1).exe	29%	Virustotal		Browse
XX(1).exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
api.ipify.org	0%	Virustotal	Browse
magnatextile.com	0%	Virustotal	Browse
mail.magnatextile.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://magnatextile.com	0%	Avira URL Cloud	safe
http://mail.magnatextile.com	0%	Avira URL Cloud	safe
http://magnatextile.com	0%	Virustotal		Browse
http://mail.magnatextile.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false	0%, Virustotal, Browse	unknown
magnatextile.com	164.68.127.9	true	true	0%, Virustotal, Browse	unknown
mail.magnatextile.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000001.00000002.2886362238.0000000005DC2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2883398358.0000000003411000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://magnatextile.com	RegSvcs.exe, 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mail.magnatextile.com	RegSvcs.exe, 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
164.68.127.9	magnatextile.com	Germany		51167	CONTABODE	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467927
Start date and time:	2024-07-05 03:37:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	XX(1).exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:38:31	API Interceptor	29x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
164.68.127.9	rnoahcrypter.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	493084369.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z1chima.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Purchase Order 0030520574.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Purchase Order 0030520574.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO-2024-05369.exe	Get hash	malicious	AgentTesla	Browse
	grace.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	vXykLXCs5d.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	ET2431000075 & ET2431000076.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
172.67.74.152	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	K8mzlntJVN.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	stub.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SongOfVikings.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Ship Docs_CI PL HBL COO_.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	M.V TBN - VESSEL'S DETAILS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	0001.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Zz3h8cOX1E.exe	Get hash	malicious	Quasar	Browse	104.26.13.205
	Luciana Alvarez CV.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Acal BFi UK - Products List 020240704.exe	Get hash	malicious	AgentTesla, RedLine, StormKitty, XWorm	Browse	172.67.74.152
	z4XlS0wTQM.exe	Get hash	malicious	Quasar	Browse	104.26.12.205
	Zz3h8cOX1E.exe	Get hash	malicious	Quasar	Browse	104.26.13.205
	5gO02Ijl9V.exe	Get hash	malicious	GuLoader	Browse	104.26.12.205
	0NJYTCJYLo.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CONTABODE	McrflHf6vg.exe	Get hash	malicious	WhiteSnake Stealer	Browse	167.86.115.218
	rnoahcrypter.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	164.68.127.9
	https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3VfkDRZqOjfShPTiZjGkXYeHH0qcNkYwSSCzibjlmAzeTFQugAGktmmDcLaGVd7xmrhViuDlzvk7LSYra0CxW0GfjPradQJiCp1Lv1-2BJr8tU4uPUlMdZtOopAucgMUwgTsNkjDwJaQiHNbOIjuz9-2F3lablcjJiJu79900Z-2B-2BB-2F6jXyiW_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8pPuOyTauAJYwyhhj24yBhp7RMjj-2F0GEsPKyiUipvQjkQHl7wMea8EX-2BEwxs5CkLSgKbIS5ztD-2FRjTIduXCBnVT1QnOLd-2FvmyGT6B7reFiJd8Uxm5bV4XvIh0yb5H69DRSKW3EikbmS1X801NApBjBxNojnvbDZeuwCzdsxI3Q5aBPTHO4KAIPr3eArcRNMGEhsEzfjMMKf-2F6jodzrXKEkXK5P-2Fd4Xgx-2FJIzg1wpgwJNw-3D-3D#?email=c3BlbmNlci53dW5kZXJsZUBoc2Nwb2x5LmNvbQ==	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	173.249.54.85
	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	164.68.127.9
	ABSA NOTIFICATION(.......pdf	Get hash	malicious	HTMLPhisher	Browse	167.86.118.58
	CUfSSHbXry.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	Ak1kDlyIZ8.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	a6pLyc70Eg.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	oG1PQhYd2k.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
	YUjTZrUbFo.elf	Get hash	malicious	Mirai	Browse	173.249.34.252
CLOUDFLARENETUS	OVER DUE INVOICE PAYMENT.docx	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://m.exactag.com/ai.aspx?tc=d9912543bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253AW0S.sdscondo.com/index.xml%23?email=cGV0ZXIuYnJvd24yM0Bxci5jb20uYXU=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	Ship Docs_CI PL HBL COO_.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://rb.gy/zsqpja	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://singingfiles.com/show.php?l=0&u=2156442&id=64574	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	http://services.business-manange.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.138.117
	http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.html	Get hash	malicious	HTMLPhisher	Browse	104.18.2.35
	http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	104.26.8.44
	http://www.anuihafw369.xyz/m/register/	Get hash	malicious	Unknown	Browse	104.17.24.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Ship Docs_CI PL HBL COO_.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://singingfiles.com/show.php?l=0&u=2156442&id=64574	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://sula.starladeroff.com/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbs	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://pradeeprunner.com/auth.html	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://iwahadxi.hosted.phplist.com/lists/lt.php/?tid=eU1SAFEEUlZTABhUAVAGGAZWVFsfXVQLWkkDBQIAUAwCAgcAAldPWwdaBlNRVAgYVwEEXh9QClxcSQcAUlcbWgQGAAJVVwRXBAoBSQcBAVALVA8LHwIEXVtJUg8GVxsAVVMHGA5SB1EBC1YDAQQBDA	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://sp.26skins.com/steamstore/category/science_fiction/?snr=1_category_4_multiplayeronlinecompetitive_12	Get hash	malicious	Unknown	Browse	172.67.74.152

Process:	C:\Users\user\Desktop\XX(1).exe
File Type:	ASCII text, with very long lines (29780), with no line terminators
Category:	dropped
Size (bytes):	29780
Entropy (8bit):	3.5533246585729676
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbn+Ig6Qm4vfF3if6gyX/:miTZ+2QoioGRk6ZklputwjpjBkCiw2R6
MD5:	C69C6D214EC49C4C68377B0019AC496C
SHA1:	4A15CC347E6C1D934D2FE7F99DFF58E6F905DAA7
SHA-256:	0F9682BD5BE8238C6A09608304309409C24BA3F663A2D72625FDEE0A173C6AE6
SHA-512:	5F8D4E0CD08B184A99CEEBA7A6C22EDB42708DC12EBF8B37B6F9D1861B2093EA3E35BE08A153724C96FE824F8B98FBC72124A6D592C27E0811769F19CAD8569B
Malicious:	false
Reputation:	low
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\autA32.tmp

Download File

Process:	C:\Users\user\Desktop\XX(1).exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.906714483935363
Encrypted:	false
SSDEEP:	6144:DR95YCHlkpYPvkUvBxZnICQxQ3ha7S/6yV9y:jH8VQnxQx6JV9y
MD5:	0627D8EA9C9A86C685642A0CADA49435
SHA1:	14B98255BFDB171DD4C4493DBF37A9599750AA06
SHA-256:	E79B150EC9F056E0DEBFAA6377C5B496E17A2AFB00418BC417F9AD3706FF1787
SHA-512:	26EF50CCFAAE562F0F0833BF06B5E2BE09082CE78E4900D47DC9552DE4F897FD02E4510550FEA1B8BAB819BDA15DEBC63619CA341D1F9CA7386E3C5D1640934C
Malicious:	false
Reputation:	low
Preview:	.n.LQ2ABJYPQ..0P.2EA5UFMvG9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30.45L\-.LN.Y.e.1....)\&f=D(^<R]mWT"<]5b,<p#1Z.94...fu+"R".C>:i45LR2AB&I.\|hE..vC.?.$.3.dF0.A.J>..Lj3.'\| .Jl!.Lwb[+Z<.9.mZN.E.2`.:<c(./.]S8vC.?5UFM6G9N30M45LR2.:.?PQD4`.Z2.@1U2.6.9N30M45L.2bCEXYQD.1PZNGA5UFM..9N3 M45.S2AB.YPAD40RZ2@A5UFM6G<N30M45LRREBN]PQ..2PX2E.5UVM6W9N30]45\R2ABNY@QD40PZ2EA5U.X4GiN30MT7L^.@BNYPQD40PZ2EA5UFM6G9N30M4..S2]BNYPQD40PZ2EA5UFM6G9N30M45L.?CB.YPQD40PZ2EA5.GM.F9N30M45LR2ABNYPQD40PZ2EA5Uh9S?MN30U.4LR"ABN.QQD00PZ2EA5UFM6G9N.0MT.>6S5#NY.<D40.[2E/5UF.7G9N30M45LR2AB.YP.jPQ$;2EA.eFM6g;N3&M45FP2ABNYPQD40PZ2.A5.h?E5ZN30A.4LRRCBN.QQD.2PZ2EA5UFM6G9Ns0Mt5LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNY

C:\Users\user\AppData\Local\Temp\autA71.tmp

Download File

Process:	C:\Users\user\Desktop\XX(1).exe
File Type:	data
Category:	dropped
Size (bytes):	9940
Entropy (8bit):	7.596040375820741
Encrypted:	false
SSDEEP:	192:u5jwEiq/w5nw1R9G7k3mkX6xL2suKfvkQ5+If15RTPhikwekbwxsiREx:U6q/w5nwdG7wnCznk9If15RLh8BIsiRy
MD5:	94CF1A211CC50D7AE7F5E7ED9095C7C8
SHA1:	1A955286D1D122EAE43910CE297E1CFEF51C0ABD
SHA-256:	027A34A56BD82FA347A68D8A5207E941093191CE98F22D58DD26F904D0652F31
SHA-512:	B30ADDA6C73383731FD2C6CB3303F0A2B01F6D937F68846DB9EE4AE10608847E988E502BCA46CD0F44BC00E7D275EE59CC4044153316257CC0C3E33703888E9B
Malicious:	false
Reputation:	low
Preview:	EA06..tT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\polygamodioecious

Download File

Process:	C:\Users\user\Desktop\XX(1).exe
File Type:	data
Category:	dropped
Size (bytes):	268288
Entropy (8bit):	7.906714483935363
Encrypted:	false
SSDEEP:	6144:DR95YCHlkpYPvkUvBxZnICQxQ3ha7S/6yV9y:jH8VQnxQx6JV9y
MD5:	0627D8EA9C9A86C685642A0CADA49435
SHA1:	14B98255BFDB171DD4C4493DBF37A9599750AA06
SHA-256:	E79B150EC9F056E0DEBFAA6377C5B496E17A2AFB00418BC417F9AD3706FF1787
SHA-512:	26EF50CCFAAE562F0F0833BF06B5E2BE09082CE78E4900D47DC9552DE4F897FD02E4510550FEA1B8BAB819BDA15DEBC63619CA341D1F9CA7386E3C5D1640934C
Malicious:	false
Reputation:	low
Preview:	.n.LQ2ABJYPQ..0P.2EA5UFMvG9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30.45L\-.LN.Y.e.1....)\&f=D(^<R]mWT"<]5b,<p#1Z.94...fu+"R".C>:i45LR2AB&I.\|hE..vC.?.$.3.dF0.A.J>..Lj3.'\| .Jl!.Lwb[+Z<.9.mZN.E.2`.:<c(./.]S8vC.?5UFM6G9N30M45LR2.:.?PQD4`.Z2.@1U2.6.9N30M45L.2bCEXYQD.1PZNGA5UFM..9N3 M45.S2AB.YPAD40RZ2@A5UFM6G<N30M45LRREBN]PQ..2PX2E.5UVM6W9N30]45\R2ABNY@QD40PZ2EA5U.X4GiN30MT7L^.@BNYPQD40PZ2EA5UFM6G9N30M4..S2]BNYPQD40PZ2EA5UFM6G9N30M45L.?CB.YPQD40PZ2EA5.GM.F9N30M45LR2ABNYPQD40PZ2EA5Uh9S?MN30U.4LR"ABN.QQD00PZ2EA5UFM6G9N.0MT.>6S5#NY.<D40.[2E/5UF.7G9N30M45LR2AB.YP.jPQ$;2EA.eFM6g;N3&M45FP2ABNYPQD40PZ2.A5.h?E5ZN30A.4LRRCBN.QQD.2PZ2EA5UFM6G9Ns0Mt5LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNYPQD40PZ2EA5UFM6G9N30M45LR2ABNY

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.121105411516716
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	XX(1).exe
File size:	1'171'456 bytes
MD5:	ceee05227b74e5a1e6d89f3b1cdfd24b
SHA1:	7c7038b477f3d68226abf7eb1f8b4e9b9cfae331
SHA256:	0f30bd5220de4c7fb2d426a392b5fcdbf1062b33a65761cb2af0d4732a2b2c2e
SHA512:	931eed40bcb985de50c631f1b2565edf4bcdc78d56d9e2b31c608a634367c227325152dc4644d498924bcc09d5a11f3ace19193b9d1ea4aa897747f2b073a4c9
SSDEEP:	24576:WAHnh+eWsN3skA4RV1Hom2KXMmHabDXVNuE25:xh+ZkldoPK8YabD3A
TLSH:	E145BD0273D5C036FFAB92739B6AF24196BC79254133852F13981DB9BD701B2263E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6685DB23 [Wed Jul 3 23:13:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FD4EC80C56Dh
jmp 00007FD4EC7FF324h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FD4EC7FF4AAh
cmp edi, eax
jc 00007FD4EC7FF80Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FD4EC7FF4A9h
rep movsb
jmp 00007FD4EC7FF7BCh
cmp ecx, 00000080h
jc 00007FD4EC7FF674h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FD4EC7FF4B0h
bt dword ptr [004BF324h], 01h
jc 00007FD4EC7FF980h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FD4EC7FF64Dh
test edi, 00000003h
jne 00007FD4EC7FF65Eh
test esi, 00000003h
jne 00007FD4EC7FF63Dh
bt edi, 02h
jnc 00007FD4EC7FF4AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FD4EC7FF4B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FD4EC7FF505h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x53868	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11c000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x53868	0x53a00	28ba6f6d00f5061ea0a9d96924e34585	False	0.9205232856875935	data	7.8798016417732315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11c000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x4ab30	data			1.000330099879726
RT_GROUP_ICON	0x11b2e8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11b360	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11b374	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11b388	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11b39c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11b478	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 03:38:30.828917027 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:30.828968048 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:30.829020023 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:30.838798046 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:30.838805914 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.356930017 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.356996059 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:31.360694885 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:31.360702038 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.361121893 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.411658049 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:31.413618088 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:31.456516027 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.520653963 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.520741940 CEST	443	49730	172.67.74.152	192.168.2.4
Jul 5, 2024 03:38:31.520790100 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:31.527592897 CEST	49730	443	192.168.2.4	172.67.74.152
Jul 5, 2024 03:38:32.066219091 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:32.072803974 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:32.072879076 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:32.981127977 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:32.981314898 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:32.987627983 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.184051037 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.184236050 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:33.190459013 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.386641979 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.387202024 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:33.392168999 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.598413944 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.598433971 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.598445892 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.598453045 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.598524094 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:33.693921089 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.728215933 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:33.733094931 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.939450026 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:33.942773104 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:33.947587013 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.143902063 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.145231962 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:34.150065899 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.346570015 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.346963882 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:34.351820946 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.569233894 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.569524050 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:34.574423075 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.776788950 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:34.777061939 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:34.781868935 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.027184963 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.027388096 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:35.032247066 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.228354931 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.228934050 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:35.228974104 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:35.228995085 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:35.229013920 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:38:35.233859062 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.233870983 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.234103918 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.234114885 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.533879042 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:38:35.583571911 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:40:12.053180933 CEST	49731	587	192.168.2.4	164.68.127.9
Jul 5, 2024 03:40:12.058012009 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:40:12.255248070 CEST	587	49731	164.68.127.9	192.168.2.4
Jul 5, 2024 03:40:12.255935907 CEST	49731	587	192.168.2.4	164.68.127.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 5, 2024 03:38:30.778460026 CEST	50685	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:38:30.785177946 CEST	53	50685	1.1.1.1	192.168.2.4
Jul 5, 2024 03:38:32.037345886 CEST	50279	53	192.168.2.4	1.1.1.1
Jul 5, 2024 03:38:32.065198898 CEST	53	50279	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 5, 2024 03:38:30.778460026 CEST	192.168.2.4	1.1.1.1	0x7e82	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:38:32.037345886 CEST	192.168.2.4	1.1.1.1	0xa351	Standard query (0)	mail.magnatextile.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 5, 2024 03:38:30.785177946 CEST	1.1.1.1	192.168.2.4	0x7e82	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:38:30.785177946 CEST	1.1.1.1	192.168.2.4	0x7e82	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:38:30.785177946 CEST	1.1.1.1	192.168.2.4	0x7e82	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 5, 2024 03:38:32.065198898 CEST	1.1.1.1	192.168.2.4	0xa351	No error (0)	mail.magnatextile.com	magnatextile.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 5, 2024 03:38:32.065198898 CEST	1.1.1.1	192.168.2.4	0xa351	No error (0)	magnatextile.com		164.68.127.9	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.74.152	443	7448	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-05 01:38:31 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-05 01:38:31 UTC	211	IN	HTTP/1.1 200 OK Date: Fri, 05 Jul 2024 01:38:31 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 89e3a2d2ad0a41c3-EWR
2024-07-05 01:38:31 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 5, 2024 03:38:32.981127977 CEST	587	49731	164.68.127.9	192.168.2.4	220-hosting.magna-group.com ESMTP Exim 4.96.2 #2 Fri, 05 Jul 2024 06:38:32 +0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 5, 2024 03:38:32.981314898 CEST	49731	587	192.168.2.4	164.68.127.9	EHLO 138727
Jul 5, 2024 03:38:33.184051037 CEST	587	49731	164.68.127.9	192.168.2.4	250-hosting.magna-group.com Hello 138727 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jul 5, 2024 03:38:33.184236050 CEST	49731	587	192.168.2.4	164.68.127.9	STARTTLS
Jul 5, 2024 03:38:33.386641979 CEST	587	49731	164.68.127.9	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	21:38:28
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\XX(1).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XX(1).exe"
Imagebase:	0x9f0000
File size:	1'171'456 bytes
MD5 hash:	CEEE05227B74E5A1E6D89F3B1CDFD24B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1643879662.0000000003760000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:38:29
Start date:	04/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\XX(1).exe"
Imagebase:	0xfb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.2885945519.0000000005A90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.2885254830.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883398358.000000000348F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2883166588.000000000312F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2884800788.0000000004411000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883398358.0000000003464000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883398358.0000000003497000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.2882112766.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2883398358.00000000034A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report XX(1).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Ramada

C:\Users\user\AppData\Local\Temp\autA32.tmp

C:\Users\user\AppData\Local\Temp\autA71.tmp

C:\Users\user\AppData\Local\Temp\polygamodioecious

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
XX(1).exe