Edit tour
Windows
Analysis Report
8VB4lVuZk3.exe
Overview
General Information
| Sample name: | 8VB4lVuZk3.exerenamed because original name is a hash value |
| Original sample name: | BF6EE92CF97D4193943CD99DE27B17C4DBD27885CC0A3152B32D2CD97CFFB873.exe |
| Analysis ID: | 1480762 |
| MD5: | 51309d30f3fb3295fea0b6d3084c4d26 |
| SHA1: | 86601e2b6b32ee19c3072221c75ac009165226b7 |
| SHA256: | bf6ee92cf97d4193943cd99de27b17c4dbd27885cc0a3152b32d2cd97cffb873 |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Bdaejec
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected Bdaejec
AI detected suspicious sample
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Uses known network protocols on non-standard ports
AV process strings found (often used to terminate AV products)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Classification
- System is w10x64
8VB4lVuZk3.exe (PID: 6464 cmdline: "C:\Users\ user\Deskt op\8VB4lVu Zk3.exe" MD5: 51309D30F3FB3295FEA0B6D3084C4D26) 
XFAGWZ.exe (PID: 5356 cmdline: C:\Users\u ser\AppDat a\Local\Te mp\XFAGWZ. exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96) 
WerFault.exe (PID: 7288 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 356 -s 122 4 MD5: C31336C1EFC2CCB44B4326EA793040F2)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Bdaejec | Yara detected Bdaejec | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
| Timestamp: | 2024-07-24T23:49:20.932540+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49741 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-24T23:49:03.660681+0200 |
| SID: | 2807908 |
| Source Port: | 49730 |
| Destination Port: | 799 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-24T23:49:08.723751+0200 |
| SID: | 2807908 |
| Source Port: | 49731 |
| Destination Port: | 799 |
| Protocol: | TCP |
| Classtype: | Malware Command and Control Activity Detected |
| Timestamp: | 2024-07-24T23:49:23.114028+0200 |
| SID: | 2028371 |
| Source Port: | 49743 |
| Destination Port: | 443 |
| Protocol: | TCP |
| Classtype: | Unknown Traffic |
| Timestamp: | 2024-07-24T23:49:58.296193+0200 |
| SID: | 2022930 |
| Source Port: | 443 |
| Destination Port: | 49744 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 2024-07-24T23:49:02.882461+0200 |
| SID: | 2838522 |
| Source Port: | 55441 |
| Destination Port: | 53 |
| Protocol: | UDP |
| Classtype: | Malware Command and Control Activity Detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Avira: | ||
| Source: | URL Reputation: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | URL Reputation: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira URL Cloud: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 0_2_6C8DFE80 | |
| Source: | Code function: | 0_2_6C8DEFB0 | |
| Source: | Code function: | 0_2_6C8DEF70 | |
| Source: | Code function: | 0_2_6C8DF880 | |
| Source: | Code function: | 0_2_6C8DFBF0 | |
| Source: | Code function: | 0_2_6C8DF630 | |
| Source: | Code function: | 0_2_6C8DF180 | |
| Source: | Code function: | 0_2_6C8E0110 | |
| Source: | Code function: | 0_2_6C8E03A0 | |
| Source: | Code function: | 0_2_6C8DF3E0 | |
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Spreading | |
|---|
| Source: | System file written: | Jump to behavior | ||
| Source: | System file written: | Jump to behavior | ||
| Source: | System file written: | Jump to behavior | ||
| Source: | Code function: | 1_2_006B29E2 | |
| Source: | Code function: | 1_2_006B2B8C | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
Networking | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | Code function: | 0_2_6C8FE380 | |
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Binary or memory string: | memstr_f9ecea49-2 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_6C86ED90 | |
| Source: | Code function: | 0_2_6C93AE10 | |
| Source: | Code function: | 0_2_6C8708E0 | |
| Source: | Code function: | 0_2_6C909830 | |
| Source: | Code function: | 0_2_6CC02960 | |
| Source: | Code function: | 0_2_6C982450 | |
| Source: | Code function: | 1_2_006B6076 | |
| Source: | Code function: | 1_2_006B6D00 | |
| Source: | Dropped File: | ||
| Source: | Code function: | ||
| Source: | Process created: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_006B119F | |
| Source: | Code function: | 0_2_6C8A6620 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Data Obfuscation | |
|---|
| Source: | Unpacked PE file: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_6CC22E2D | |
| Source: | Code function: | 0_2_6CC139F8 | |
| Source: | Code function: | 1_2_006B170E | |
| Source: | Code function: | 1_2_006B600D | |
| Source: | Code function: | 1_2_006B2DAB | |
| Source: | Code function: | 1_2_006B6425 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | System file written: | Jump to behavior | ||
| Source: | System file written: | Jump to behavior | ||
| Source: | System file written: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evasive API call chain: | graph_1-1063 | ||
| Source: | API coverage: | ||
| Source: | Code function: | 1_2_006B1718 | |
| Source: | Code function: | 1_2_006B29E2 | |
| Source: | Code function: | 1_2_006B2B8C | |
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_1-1038 | ||
| Source: | Code function: | 0_2_00856044 | |
| Source: | Code function: | 0_2_6CA35DF0 | |
| Source: | Code function: | 0_2_6CC131F5 | |
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_6CC04D55 | |
| Source: | Code function: | 0_2_6C806E10 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | Code function: | 0_2_6C80DFD0 | |
| Source: | Code function: | 0_2_6C983860 | |
| Source: | Code function: | 0_2_6C8AABA0 | |
| Source: | Code function: | 0_2_6C8096A0 | |
| Source: | Code function: | 0_2_6C80E010 | |
| Source: | Code function: | 0_2_6C80E050 | |
| Source: | Code function: | 0_2_6C8A4370 | |
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Command and Scripting Interpreter | 1 DLL Side-Loading | 1 Access Token Manipulation | 1 Masquerading | 11 Input Capture | 11 System Time Discovery | 1 Taint Shared Content | 11 Input Capture | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | 1 Native API | Boot or Logon Initialization Scripts | 2 Process Injection | 1 Access Token Manipulation | LSASS Memory | 21 Security Software Discovery | Remote Desktop Protocol | 11 Archive Collected Data | 11 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 2 Process Injection | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Deobfuscate/Decode Files or Information | NTDS | 3 File and Directory Discovery | Distributed Component Object Model | Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 3 Obfuscated Files or Information | LSA Secrets | 3 System Information Discovery | SSH | Keylogging | 12 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 12 Software Packing | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | W32/Jadtre.B | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Dldr.Small.Z.haljq | ||
| 100% | Avira | W32/Jadtre.B | ||
| 100% | Avira | W32/Jadtre.B | ||
| 100% | Avira | W32/Jadtre.B | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | URL Reputation | malware | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | URL Reputation | malware | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | phishing | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 100% | Avira URL Cloud | phishing | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | URL Reputation | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | malware | ||
| 100% | Avira URL Cloud | phishing | ||
| 100% | Avira URL Cloud | malware | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| ddos.dnsnb8.net | 44.221.84.105 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| unknown | |
| true |
| unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 44.221.84.105 | ddos.dnsnb8.net | United States | 14618 | AMAZON-AESUS | false |
| Joe Sandbox version: | 40.0.0 Tourmaline |
| Analysis ID: | 1480762 |
| Start date and time: | 2024-07-24 23:48:09 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 6m 7s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 10 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | 8VB4lVuZk3.exerenamed because original name is a hash value |
| Original Sample Name: | BF6EE92CF97D4193943CD99DE27B17C4DBD27885CC0A3152B32D2CD97CFFB873.exe |
| Detection: | MAL |
| Classification: | mal100.spre.troj.evad.winEXE@5/12@1/1 |
| EGA Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.89.179.12
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenFile calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: 8VB4lVuZk3.exe
| Time | Type | Description |
|---|---|---|
| 17:49:22 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 44.221.84.105 | Get hash | malicious | Bdaejec | Browse |
| |
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, Raccoon | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, Sage | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, BlackMoon | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| ddos.dnsnb8.net | Get hash | malicious | Bdaejec | Browse |
| |
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, Raccoon | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, Sage | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, BlackMoon | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| AMAZON-AESUS | Get hash | malicious | Bdaejec | Browse |
| |
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, Raccoon | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec | Browse |
| ||
| Get hash | malicious | Bdaejec, BlackMoon | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Tycoon2FA | Browse |
| ||
| Get hash | malicious | Babuk, Bdaejec, Djvu | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\E2EECore.2.7.2.dll | Get hash | malicious | Unknown | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | Unknown | Browse |
| Process: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 19456 |
| Entropy (8bit): | 6.591085255544899 |
| Encrypted: | false |
| SSDEEP: | 384:1FiSMXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:TsQGPL4vzZq2o9W7GsxBbPr |
| MD5: | CE3711B837D78ACBEBC27E24F811AB3B |
| SHA1: | D66AD1B81D8E20C48F2762059279DEAD23035166 |
| SHA-256: | 700089133E411F19821C21FEB52AAC39488C0A774D54965336001476C6E6041C |
| SHA-512: | EF8B2AA9B0946D1F5F38C53755BD7918143CD7D3FA1839CB962CAE01EE3E6FA43B210252F3171174FAAB4670E9C517F34551E3FACED3F4DD813E11B722A53254 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 2389504 |
| Entropy (8bit): | 6.731349265934764 |
| Encrypted: | false |
| SSDEEP: | 49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf |
| MD5: | A15C53B12DBF4F3989AFFED5EE0CD72C |
| SHA1: | 7951FE0B87D4C4A7F8CEC244F6E51711A38EB0F9 |
| SHA-256: | 764816A579138E72D0C5E9295C8B66EEEF32DF03C3FDFE7D7B24240427DA37A8 |
| SHA-512: | E7AE0823F62ABFBC87072CD1F264F20ED0137CE30918F1CD109C3EAB396693F3DA3EE8FE967DFC49E990B0C9E10BC4B49A6BF5CBD6255F59C7CD5382EA19EF09 |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 31744 |
| Entropy (8bit): | 6.366106543944447 |
| Encrypted: | false |
| SSDEEP: | 768:uWQ3655Kv1X/qY1MSdMuQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdMVGCq2iW7z |
| MD5: | D8D240E0A2F5E5AA13F70F3F76CDF39F |
| SHA1: | 8B4130A9ABCC33B59F436F4632F51588EA8741AF |
| SHA-256: | 11797648A3764375B48527894C6DBE863886C978793A5F3F8A854A242F73967C |
| SHA-512: | 2EDA42A0E4EB53B82AD535B440F57027CE076EB72522151BF7BEAF61483F77BBDB209E8F2A44B2AD16AACD7EF83DB75FCE36A627963A7EDDCA756DBCC62B14ED |
| Malicious: | true |
| Antivirus: |
|
| Reputation: | low |
| Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_XFAGWZ.exe_957b89824991c68958fc10391144288a155074e4_f19a995c_a048fb85-7e30-4984-b3a2-a157f2560227\Report.wer
Download File
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 65536 |
| Entropy (8bit): | 0.9749434271024817 |
| Encrypted: | false |
| SSDEEP: | 96:U7FxIGznNYsghnK7afzQXIDcQgc6n2cEzcw3Ig+HbHg/5ksS/YyNl1zWDUTuFqLP:mTvznNYS0+j2Z2jE/JXzuiFdZ24IO8d |
| MD5: | 30DCB615D105FDDD158B906E178EB296 |
| SHA1: | F04CA4C57116595E3CC2C4227EC79D4F5D4B15DD |
| SHA-256: | 4DF8682F437014FE528AEC5909CA71AD9F481F09B7D43838A78FD22A647D7AB1 |
| SHA-512: | 55D4549BA28EBB44C6CA52F4A1B39823FCA7D9882923A9F035B99C4AED742B539C2756E49AB28D7C1D5330B80762892480E01C759F7EDF9610B6638486F8D265 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 162206 |
| Entropy (8bit): | 1.8387660480578405 |
| Encrypted: | false |
| SSDEEP: | 768:Ax2h9nslsgI4aC/q76EXws40SS/QKGgr:Gf7vaCo6sHZpr |
| MD5: | 5888818B51192B6E4206A8389E64B6C8 |
| SHA1: | 4E5637D784F7148DA7943AE93412B7EBF742B32B |
| SHA-256: | 4E3F31EB9EA43E91C47A50F79AC08C6A85A45CB41D07824ABEF61137D22513AD |
| SHA-512: | AA35112BFE6650617FC64C3168C4401F682C588804ECBB7AA0E6A43763FCE14064536334A6001A8E59BC40F026E38BC9633908B76BBCC81DF8E8F3942CCA45C3 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8272 |
| Entropy (8bit): | 3.6999061397655053 |
| Encrypted: | false |
| SSDEEP: | 192:R6l7wVeJRo64VQe6Y8H65kGgmfGmApDT89bxEsf0pvQbm:R6lXJe6E6YM65VgmfGmJx3fQJ |
| MD5: | 97801AEF98CBF4FDCE62A4E94142D717 |
| SHA1: | F8A42B215E2A4BFEFC2FE6D67EE29562A0E97DEF |
| SHA-256: | FA73F89AAA281D0510690D093171A1D0CFE659265D19A499DA4456EE9B61C9C9 |
| SHA-512: | 13CF2C73EF0A3D8E341BE4EED5243925D992C1A0AF4B61CF80D549081BD4E23A5090739D52747E51FB0B46911C9BD98C526A4DD3286444F72B7FCF2F854A3D25 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Windows\SysWOW64\WerFault.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4551 |
| Entropy (8bit): | 4.462838691168284 |
| Encrypted: | false |
| SSDEEP: | 48:cvIwWl8zsuJg77aI9v1yWpW8VYcYm8M4J8MF3+q8uX3EngoTd:uIjfkI7xV7VQJbP0ngoTd |
| MD5: | FE5B9DC59E474CB047FC237905FD0C4F |
| SHA1: | BD216F46544C313CEC236FE2B592EA5B85441B25 |
| SHA-256: | E299DA9F4F383B7F22A15E293121461DA5D0B74A09F107E927FBD863C51D3A35 |
| SHA-512: | 0C191E272592720E6CE1B46C5C998F7A73D287119245C4CB38D758E7CB4B7AF8F7D4CE33A23F1302625E5866BEF3CA5DA4D77FD58368538D298022759E240123 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 1.5 |
| Encrypted: | false |
| SSDEEP: | 3:Nv:9 |
| MD5: | D3B07384D113EDEC49EAA6238AD5FF00 |
| SHA1: | F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15 |
| SHA-256: | B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C |
| SHA-512: | 0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 4 |
| Entropy (8bit): | 1.5 |
| Encrypted: | false |
| SSDEEP: | 3:Nv:9 |
| MD5: | D3B07384D113EDEC49EAA6238AD5FF00 |
| SHA1: | F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15 |
| SHA-256: | B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C |
| SHA-512: | 0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6 |
| Malicious: | false |
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\8VB4lVuZk3.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 8824320 |
| Entropy (8bit): | 6.798757148754891 |
| Encrypted: | false |
| SSDEEP: | 98304:z0PpiCcXz5iqFaFxZkyE2kCeQ+LDSBRAN9ijNnQobT9wdxd+tNrspBAUZLh7ZV/T:QyDBaFxZNb+LwRAN9w1X9wdxrpV9/J |
| MD5: | 8B6C94BBDBFB213E94A5DCB4FAC28CE3 |
| SHA1: | B56102CA4F03556F387F8B30E2B404EFABE0CB65 |
| SHA-256: | 982A177924762F270B36FE34C7D6847392B48AE53151DC2011078DCEEF487A53 |
| SHA-512: | 9D6D63B5D8CF7A978D7E91126D7A343C2F7ACD00022DA9D692F63E50835FDD84A59A93328564F10622F2B1F6ADFD7FEBDD98B8DDB294D0754ED45CC9C165D25A |
| Malicious: | true |
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\8VB4lVuZk3.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 15872 |
| Entropy (8bit): | 7.031113762428177 |
| Encrypted: | false |
| SSDEEP: | 384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr |
| MD5: | 56B2C3810DBA2E939A8BB9FA36D3CF96 |
| SHA1: | 99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC |
| SHA-256: | 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07 |
| SHA-512: | 27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1835008 |
| Entropy (8bit): | 4.465999491658245 |
| Encrypted: | false |
| SSDEEP: | 6144:7IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN3dwBCswSbn:cXD94+WlLZMM6YFHF+n |
| MD5: | 55167F82A7EC0834E8517098699C02B2 |
| SHA1: | 14E0F105A0ECBF76C57AFB7AE9ABE71F5C830061 |
| SHA-256: | EB4DCBDAEBD5BF9E9F25B194C906CD29D0E4980FF8C01EAB3C685309C6C13B67 |
| SHA-512: | 5E750562218CA12875135A5F8BC1243640203C9797F8BA3EAF8C595B19C54F29E1EB8C2F07D0BC7D2EDCD2F322E8B248CC208C4E5B825F06EEC6CA093317D202 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.762726805131574 |
| TrID: |
|
| File name: | 8VB4lVuZk3.exe |
| File size: | 4'354'058 bytes |
| MD5: | 51309d30f3fb3295fea0b6d3084c4d26 |
| SHA1: | 86601e2b6b32ee19c3072221c75ac009165226b7 |
| SHA256: | bf6ee92cf97d4193943cd99de27b17c4dbd27885cc0a3152b32d2cd97cffb873 |
| SHA512: | 73522e0d402ebd24813c8a9c924946385f8169a8554adda3941eade92fae4c85ab875453275989b88de7d3d9da4a715014a3ce79ee05898e6392ecc216ac9a60 |
| SSDEEP: | 49152:XJu1FGR8ETrtVEgHztu+thX44ifGJtSqeQLgza6BDm5TN+IMUu9+d1cL+0:ZuTGR8cVzArOSqeDalc6dc |
| TLSH: | D0160141B68344F2E824293005F39B3AEF7196975B21C6876395DE2C3EB2351F9372E9 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............E...E...E...E...E...E...EJ..E...E...E...E...E...E...E...E...E...E...E...E...E...E!..E...E!..E...E...E...E...E...E6..E... |
 | |
| Icon Hash: | 0e061b160643cbcb |
| Entrypoint: | 0x856000 |
| Entrypoint Section: | ub |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| DLL Characteristics: | |
| Time Stamp: | 0x6486E31D [Mon Jun 12 09:19:25 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 7e5055e656d0de769c5445ff3953d089 |
| Instruction |
|---|
| push ebp |
| mov ebp, esp |
| sub esp, 0000016Ch |
| xor eax, eax |
| push ebx |
| push esi |
| push edi |
| mov dword ptr [ebp-24h], eax |
| mov dword ptr [ebp-10h], eax |
| mov dword ptr [ebp-14h], eax |
| mov dword ptr [ebp-08h], eax |
| mov dword ptr [ebp-0Ch], eax |
| mov dword ptr [ebp-20h], eax |
| mov dword ptr [ebp-18h], eax |
| mov dword ptr [ebp-48h], 47414658h |
| mov dword ptr [ebp-44h], 652E5A57h |
| mov dword ptr [ebp-40h], 00006578h |
| mov dword ptr [ebp-3Ch], 00000000h |
| call 00007F2584E502C5h |
| pop eax |
| add eax, 00000225h |
| mov dword ptr [ebp-04h], eax |
| mov eax, dword ptr fs:[00000030h] |
| mov dword ptr [ebp-28h], eax |
| mov eax, dword ptr [ebp-04h] |
| mov dword ptr [eax], E904C483h |
| mov eax, dword ptr [ebp-04h] |
| mov dword ptr [eax+04h], FFC489DCh |
| mov eax, dword ptr [ebp-28h] |
| mov eax, dword ptr [eax+0Ch] |
| mov eax, dword ptr [eax+1Ch] |
| mov eax, dword ptr [eax] |
| mov eax, dword ptr [eax+08h] |
| mov ecx, dword ptr [eax+3Ch] |
| mov ecx, dword ptr [ecx+eax+78h] |
| add ecx, eax |
| mov edi, dword ptr [ecx+1Ch] |
| mov ebx, dword ptr [ecx+20h] |
| mov esi, dword ptr [ecx+24h] |
| mov ecx, dword ptr [ecx+18h] |
| add esi, eax |
| add edi, eax |
| add ebx, eax |
| xor edx, edx |
| mov dword ptr [ebp-30h], esi |
| mov dword ptr [ebp-1Ch], edx |
| mov dword ptr [ebp-34h], ecx |
| cmp edx, dword ptr [ebp-34h] |
| jnc 00007F2584E5040Eh |
| movzx ecx, word ptr [esi+edx*2] |
| mov edx, dword ptr [ebx+edx*4] |
| mov esi, dword ptr [edi+ecx*4] |
| add edx, eax |
| mov ecx, dword ptr [edx] |
| add esi, eax |
| cmp ecx, 4D746547h |
| jne 00007F2584E50314h |
| cmp dword ptr [edx+04h], 6C75646Fh |
| jne 00007F2584E5030Bh |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0xe6650 | 0x180 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xe41b8 | 0x104 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x173000 | 0x2e246c | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0xc4000 | 0x730 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0xc2455 | 0xc3000 | 79bd633a79fb5f039c4e84cafadc1d75 | False | 0.49658954326923077 | data | 6.540632015181998 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0xc4000 | 0x227d0 | 0x23000 | b69d5a4a746a98d1b5331ec1a596b6a2 | False | 0.3810407366071429 | data | 5.3119644973523465 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xe7000 | 0x8b778 | 0x58000 | 131c4b1609393abf97e6ce07255c7f51 | False | 0.3206731622869318 | data | 6.202879261178366 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x173000 | 0x2e246c | 0x2e3000 | ff82455577828a8fb15be6e83376e91b | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| ub | 0x456000 | 0x5000 | 0x5000 | b4fcd596df60986058b89a35231bcb2a | False | 0.642431640625 | data | 6.037759798580667 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| DLL | 0x173c60 | 0x2d91ae | data | Chinese | China | 1.0003108978271484 |
| TEXTINCLUDE | 0x44ce10 | 0xb | ASCII text, with no line terminators | Chinese | China | 1.7272727272727273 |
| TEXTINCLUDE | 0x44ce1c | 0x16 | data | Chinese | China | 1.3636363636363635 |
| TEXTINCLUDE | 0x44ce34 | 0x151 | C source, ASCII text, with CRLF line terminators | Chinese | China | 0.6201780415430267 |
| RT_CURSOR | 0x44cf88 | 0x134 | data | Chinese | China | 0.5811688311688312 |
| RT_CURSOR | 0x44d0bc | 0x134 | Targa image data - Map 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.37662337662337664 |
| RT_CURSOR | 0x44d1f0 | 0x134 | Targa image data - RGB 64 x 65536 x 1 +32 "\001" | Chinese | China | 0.4805194805194805 |
| RT_CURSOR | 0x44d324 | 0xb4 | Targa image data - Map 32 x 65536 x 1 +16 "\001" | Chinese | China | 0.7 |
| RT_BITMAP | 0x44d3d8 | 0x16c | Device independent bitmap graphic, 39 x 13 x 4, image size 260 | Chinese | China | 0.3598901098901099 |
| RT_BITMAP | 0x44d544 | 0x248 | Device independent bitmap graphic, 64 x 15 x 4, image size 480 | Chinese | China | 0.3407534246575342 |
| RT_BITMAP | 0x44d78c | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.4444444444444444 |
| RT_BITMAP | 0x44d8d0 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.26453488372093026 |
| RT_BITMAP | 0x44da28 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.2616279069767442 |
| RT_BITMAP | 0x44db80 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.2441860465116279 |
| RT_BITMAP | 0x44dcd8 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.24709302325581395 |
| RT_BITMAP | 0x44de30 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m | Chinese | China | 0.2238372093023256 |
| RT_BITMAP | 0x44df88 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240 | Chinese | China | 0.19476744186046513 |
| RT_BITMAP | 0x44e0e0 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240 | Chinese | China | 0.20930232558139536 |
| RT_BITMAP | 0x44e238 | 0x158 | Device independent bitmap graphic, 20 x 20 x 4, image size 240 | Chinese | China | 0.18895348837209303 |
| RT_BITMAP | 0x44e390 | 0x5e4 | Device independent bitmap graphic, 70 x 39 x 4, image size 1404 | Chinese | China | 0.34615384615384615 |
| RT_BITMAP | 0x44e974 | 0xb8 | Device independent bitmap graphic, 12 x 10 x 4, image size 80 | Chinese | China | 0.44565217391304346 |
| RT_BITMAP | 0x44ea2c | 0x16c | Device independent bitmap graphic, 39 x 13 x 4, image size 260 | Chinese | China | 0.28296703296703296 |
| RT_BITMAP | 0x44eb98 | 0x144 | Device independent bitmap graphic, 33 x 11 x 4, image size 220 | Chinese | China | 0.37962962962962965 |
| RT_ICON | 0x44ecdc | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 640 | Chinese | China | 0.26344086021505375 |
| RT_ICON | 0x44efc4 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 192 | Chinese | China | 0.41216216216216217 |
| RT_ICON | 0x44f0ec | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | 0.6231695795937647 | ||
| RT_MENU | 0x453314 | 0xc | data | Chinese | China | 1.5 |
| RT_MENU | 0x453320 | 0x284 | data | Chinese | China | 0.5 |
| RT_DIALOG | 0x4535a4 | 0x98 | data | Chinese | China | 0.7171052631578947 |
| RT_DIALOG | 0x45363c | 0x17a | data | Chinese | China | 0.5185185185185185 |
| RT_DIALOG | 0x4537b8 | 0xfa | data | Chinese | China | 0.696 |
| RT_DIALOG | 0x4538b4 | 0xea | data | Chinese | China | 0.6239316239316239 |
| RT_DIALOG | 0x4539a0 | 0x8ae | data | Chinese | China | 0.39603960396039606 |
| RT_DIALOG | 0x454250 | 0xb2 | data | Chinese | China | 0.7359550561797753 |
| RT_DIALOG | 0x454304 | 0xcc | data | Chinese | China | 0.7647058823529411 |
| RT_DIALOG | 0x4543d0 | 0xb2 | data | Chinese | China | 0.6629213483146067 |
| RT_DIALOG | 0x454484 | 0xe2 | data | Chinese | China | 0.6637168141592921 |
| RT_DIALOG | 0x454568 | 0x18c | data | Chinese | China | 0.5227272727272727 |
| RT_STRING | 0x4546f4 | 0x50 | data | Chinese | China | 0.85 |
| RT_STRING | 0x454744 | 0x2c | data | Chinese | China | 0.5909090909090909 |
| RT_STRING | 0x454770 | 0x78 | data | Chinese | China | 0.925 |
| RT_STRING | 0x4547e8 | 0x1c4 | data | Chinese | China | 0.8141592920353983 |
| RT_STRING | 0x4549ac | 0x12a | data | Chinese | China | 0.5201342281879194 |
| RT_STRING | 0x454ad8 | 0x146 | data | Chinese | China | 0.6288343558282209 |
| RT_STRING | 0x454c20 | 0x40 | data | Chinese | China | 0.65625 |
| RT_STRING | 0x454c60 | 0x64 | data | Chinese | China | 0.73 |
| RT_STRING | 0x454cc4 | 0x1d8 | data | Chinese | China | 0.6758474576271186 |
| RT_STRING | 0x454e9c | 0x114 | data | Chinese | China | 0.6376811594202898 |
| RT_STRING | 0x454fb0 | 0x24 | data | Chinese | China | 0.4444444444444444 |
| RT_GROUP_CURSOR | 0x454fd4 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.25 |
| RT_GROUP_CURSOR | 0x454fe8 | 0x14 | Lotus unknown worksheet or configuration, revision 0x1 | Chinese | China | 1.25 |
| RT_GROUP_CURSOR | 0x454ffc | 0x22 | Lotus unknown worksheet or configuration, revision 0x2 | Chinese | China | 1.0294117647058822 |
| RT_GROUP_ICON | 0x455020 | 0x14 | data | 1.25 | ||
| RT_GROUP_ICON | 0x455034 | 0x14 | data | Chinese | China | 1.2 |
| RT_GROUP_ICON | 0x455048 | 0x14 | data | Chinese | China | 1.25 |
| RT_VERSION | 0x45505c | 0x240 | data | Chinese | China | 0.5086805555555556 |
| RT_MANIFEST | 0x45529c | 0x1cd | XML 1.0 document, ASCII text, with very long lines (461), with no line terminators | 0.5878524945770065 |
| DLL | Import |
|---|---|
| KERNEL32.dll | FlushFileBuffers, SetFilePointer, GetCurrentProcess, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, InterlockedDecrement, SuspendThread, ReleaseMutex, CreateMutexA, TerminateThread, SetLastError, IsBadReadPtr, VirtualFree, VirtualAlloc, GetCurrentProcessId, GetEnvironmentVariableA, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, InterlockedExchange, SetStdHandle, IsBadCodePtr, CompareStringW, CompareStringA, SetUnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, IsBadWritePtr, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetACP, HeapSize, RaiseException, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, SizeofResource, ReadFile, lstrlenW, GetModuleFileNameA, WideCharToMultiByte, MultiByteToWideChar, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, GetFileAttributesA, DeleteFileA, GetLocalTime, GetSystemTime, GetTimeZoneInformation, TerminateProcess, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, GetFileSize, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, WaitForSingleObject, CloseHandle, InterlockedIncrement |
| USER32.dll | GetScrollPos, wsprintfA, CloseClipboard, GetClipboardData, OpenClipboard, SetClipboardData, EmptyClipboard, GetSystemMetrics, GetCursorPos, MessageBoxA, SetWindowPos, SendMessageA, DestroyCursor, SetParent, IsWindow, PostMessageA, GetTopWindow, GetParent, GetFocus, GetClientRect, InvalidateRect, ValidateRect, UpdateWindow, EqualRect, GetWindowRect, SetForegroundWindow, DestroyMenu, IsChild, ReleaseDC, IsRectEmpty, FillRect, GetDC, SetCursor, LoadCursorA, SetCursorPos, SetActiveWindow, GetSysColor, SetWindowLongA, GetWindowLongA, RedrawWindow, EnableWindow, IsWindowVisible, OffsetRect, PtInRect, DestroyIcon, IntersectRect, InflateRect, SetRect, SetScrollPos, SetScrollRange, GetScrollRange, SetCapture, GetCapture, ReleaseCapture, SetTimer, KillTimer, WinHelpA, LoadBitmapA, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, GetWindowTextA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, UnregisterClassA, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, GetClassNameA, GetDesktopWindow, LoadStringA, GetSysColorBrush, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect |
| GDI32.dll | SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, CreatePen, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, CreateFontIndirectA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StretchBlt, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, LineTo, ExtSelectClipRgn, CreatePalette, GetSystemPaletteEntries, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, StartPage, GetTextMetricsA, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetViewportExtEx |
| WINMM.dll | midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, waveOutClose, waveOutReset, waveOutPause, waveOutWrite, waveOutPrepareHeader, waveOutUnprepareHeader, waveOutRestart |
| WINSPOOL.DRV | ClosePrinter, DocumentPropertiesA, OpenPrinterA |
| ADVAPI32.dll | RegCloseKey, RegOpenKeyExA, RegQueryValueA, RegSetValueExA, RegCreateKeyExA |
| SHELL32.dll | ShellExecuteA, Shell_NotifyIconA |
| ole32.dll | CLSIDFromProgID, OleInitialize, OleUninitialize, CLSIDFromString, CoCreateInstance, OleRun |
| OLEAUT32.dll | SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib, VariantClear, VariantChangeType |
| COMCTL32.dll | ImageList_GetImageCount, ImageList_SetBkColor, ImageList_Destroy, ImageList_Read, ImageList_Duplicate |
| WS2_32.dll | recvfrom, ioctlsocket, recv, getpeername, accept, ntohl, WSAAsyncSelect, inet_ntoa, closesocket, WSACleanup |
| comdlg32.dll | GetFileTitleA, GetSaveFileNameA, GetOpenFileNameA, ChooseColorA |
| Name | Ordinal | Address |
|---|---|---|
| e2ee_CacheClear | 1 | 0x476b40 |
| e2ee_CacheDecr | 2 | 0x476b80 |
| e2ee_CacheDelete | 3 | 0x476b20 |
| e2ee_CacheExists | 4 | 0x476b00 |
| e2ee_CacheGet | 5 | 0x476a40 |
| e2ee_CacheGetMulti | 6 | 0x476ac0 |
| e2ee_CacheGetMultiText | 7 | 0x476ae0 |
| e2ee_CacheGetText | 8 | 0x476a60 |
| e2ee_CacheIncr | 9 | 0x476b60 |
| e2ee_CacheSet | 10 | 0x476a80 |
| e2ee_CacheSetExpire | 11 | 0x476ba0 |
| e2ee_CacheSetText | 12 | 0x476aa0 |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| Chinese | China |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Protocol | SID | Signature | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|---|---|---|
| 2024-07-24T23:49:20.932540+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49741 | 20.12.23.50 | 192.168.2.4 |
| 2024-07-24T23:49:03.660681+0200 | TCP | 2807908 | ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| 2024-07-24T23:49:08.723751+0200 | TCP | 2807908 | ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin | 49731 | 799 | 192.168.2.4 | 44.221.84.105 |
| 2024-07-24T23:49:23.114028+0200 | TCP | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 49743 | 443 | 192.168.2.4 | 13.89.179.12 |
| 2024-07-24T23:49:58.296193+0200 | TCP | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 443 | 49744 | 20.12.23.50 | 192.168.2.4 |
| 2024-07-24T23:49:02.882461+0200 | UDP | 2838522 | ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup | 55441 | 53 | 192.168.2.4 | 1.1.1.1 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 24, 2024 23:49:03.241332054 CEST | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:03.249254942 CEST | 799 | 49730 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:03.249592066 CEST | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:03.250174999 CEST | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:03.257889032 CEST | 799 | 49730 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:03.659729958 CEST | 799 | 49730 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:03.660010099 CEST | 799 | 49730 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:03.660681009 CEST | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:03.660681009 CEST | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:03.676515102 CEST | 49730 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:03.690068007 CEST | 799 | 49730 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:08.293709040 CEST | 49731 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:08.298846006 CEST | 799 | 49731 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:08.298970938 CEST | 49731 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:08.299634933 CEST | 49731 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:08.304548979 CEST | 799 | 49731 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:08.723659039 CEST | 799 | 49731 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:08.723685026 CEST | 799 | 49731 | 44.221.84.105 | 192.168.2.4 |
| Jul 24, 2024 23:49:08.723751068 CEST | 49731 | 799 | 192.168.2.4 | 44.221.84.105 |
| Jul 24, 2024 23:49:23.682876110 CEST | 49731 | 799 | 192.168.2.4 | 44.221.84.105 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jul 24, 2024 23:49:02.882461071 CEST | 55441 | 53 | 192.168.2.4 | 1.1.1.1 |
| Jul 24, 2024 23:49:03.235528946 CEST | 53 | 55441 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Jul 24, 2024 23:49:02.882461071 CEST | 192.168.2.4 | 1.1.1.1 | 0x1962 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Jul 24, 2024 23:49:03.235528946 CEST | 1.1.1.1 | 192.168.2.4 | 0x1962 | No error (0) | 44.221.84.105 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 44.221.84.105 | 799 | 5356 | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 24, 2024 23:49:03.250174999 CEST | 288 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 44.221.84.105 | 799 | 5356 | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Jul 24, 2024 23:49:08.299634933 CEST | 288 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 17:49:01 |
| Start date: | 24/07/2024 |
| Path: | C:\Users\user\Desktop\8VB4lVuZk3.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 4'354'058 bytes |
| MD5 hash: | 51309D30F3FB3295FEA0B6D3084C4D26 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
| Target ID: | 1 |
| Start time: | 17:49:02 |
| Start date: | 24/07/2024 |
| Path: | C:\Users\user\AppData\Local\Temp\XFAGWZ.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x6b0000 |
| File size: | 15'872 bytes |
| MD5 hash: | 56B2C3810DBA2E939A8BB9FA36D3CF96 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 4 |
| Start time: | 17:49:08 |
| Start date: | 24/07/2024 |
| Path: | C:\Windows\SysWOW64\WerFault.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8d0000 |
| File size: | 483'680 bytes |
| MD5 hash: | C31336C1EFC2CCB44B4326EA793040F2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 0.1% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 87.5% |
| Total number of Nodes: | 8 |
| Total number of Limit Nodes: | 1 |
Graph
Function 00856044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171fileprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA35DF0 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8A6620 Relevance: 3.0, APIs: 2, Instructions: 44comCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC131F5 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8096A0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C982450 Relevance: .4, Instructions: 369COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C909830 Relevance: .2, Instructions: 242COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8708E0 Relevance: .1, Instructions: 137COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8AABA0 Relevance: .1, Instructions: 124COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C86ED90 Relevance: .1, Instructions: 118COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C93AE10 Relevance: .1, Instructions: 117COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC02960 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DF630 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DF3E0 Relevance: .1, Instructions: 65COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DF180 Relevance: .1, Instructions: 59COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DFE80 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DFBF0 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8E0110 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8E03A0 Relevance: .1, Instructions: 57COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DEFB0 Relevance: .0, Instructions: 46COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C806E10 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8A4370 Relevance: .0, Instructions: 38COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C80E050 Relevance: .0, Instructions: 35COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C983860 Relevance: .0, Instructions: 33COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C80DFD0 Relevance: .0, Instructions: 23COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C80E010 Relevance: .0, Instructions: 22COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DF880 Relevance: .0, Instructions: 10COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8DEF70 Relevance: .0, Instructions: 8COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8FE380 Relevance: .0, Instructions: 7COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C984790 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113windowlibraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CAEDAC0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 57stringregistryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA663E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53memorylibraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CC6E4C0 Relevance: 10.6, APIs: 7, Instructions: 133COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8ECF70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA6DC60 Relevance: 6.3, APIs: 5, Instructions: 76COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8A2ED0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6CA66920 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 6C8E75A0 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 32.5% |
| Dynamic/Decrypted Code Coverage: | 10.4% |
| Signature Coverage: | 10.4% |
| Total number of Nodes: | 297 |
| Total number of Limit Nodes: | 12 |
Graph
Callgraph
Function 006B29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128stringfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65timeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144filesleepmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100stringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74stringsleepprocessCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70stringsynchronizationthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B14E1 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1915 Relevance: 4.5, APIs: 3, Instructions: 41timeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B6158 Relevance: 2.6, APIs: 2, Instructions: 58memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 006B6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|