Edit tour

Windows Analysis Report
LisectAVT_2403002A_20.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_20.exe
Analysis ID:	1482427
MD5:	c4d3655d5c8b473292c064ea6392e59e
SHA1:	7dff8774fabb5e6ef3a9a695d89e8c369d2cd6f4
SHA256:	b3a927c1fdd44c0c8f0c819cb62ca6e0fa8362b9fb7d5baa10cd5348e4a20bde
Tags:	exe
Infos:

Detection

Mars Stealer, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Mars stealer

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

One or more processes crash

PE file contains an invalid checksum

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_20.exe (PID: 5264 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_20.exe" MD5: C4D3655D5C8B473292C064EA6392E59E)

WerFault.exe (PID: 3872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "http://185.172.128.26/f993692117a3fda2.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1318:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
Click to see the 7 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T22:52:34.932648+0200
SID:	2022930
Source Port:	443
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T22:51:57.594251+0200
SID:	2022930
Source Port:	443
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_20.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.172.128.26/f993692117a3fda2.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.26/f993692117a3fda2.php"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Sample uses string decryption to hide its real strings

Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ""
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: jjnnllllddbbffbbxxxxxx~~rrvvttttLLJJNNJJ@@@@@@FFZZ^^\\\\TTRRVVRR
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: pppppppppppp\|\|\|\| ,,,,4444<<<<88888888
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: <<::>>::00000066**..,,,,$$""&&""
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: llllttttdddd\|\|\|\|\|\|\|\|ddddttttllllLLLLTTTTDDDD\\\\\\\\DDDDTTTTLLLL,,,,4444$$$$<<<<<<<<$$$$4444,,,,llllttttdddd\|\|\|\|\|\|\|\|ddddttttllllLLLLTTTTDDDD\\\\\\\\DDDDTTTTLLLL
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: hhhhhhhh(((((((?66::>>::66..-/-SUWUS]_]SUWUSmomsuwuDDDDLLLLDDDD\|\|\|\|DDDDLLL{}}{egekmomkege[]_][%'226622>79;9?9;97
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: lllltttt\|\|\|\|tt~~ppppbb^^""&&""..""&&""LLLL4444<<<<4444LL>>::FFJJNNJJFFZZ^^((((XXXXXXXXhhhhhhjjnnjjvvzz~~zz\|\|\|\|
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 4444<<>>888822..$$$$dd^^ZZffjjnnPPPPppppppJJFFzz~~zz\|\|\|\|DDDDLLvvrrNNRRVVhhhhXXXXXXbb
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tttt\|\|\|\|\|\|\|\|ttttddddllllllllddddTTTT\\\\\\\\TTTTDDDDLLLLLLLLDDDD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 6-/-+575;=?= ;575+-/-+
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: <<<<4444
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ((((((((888888=?=26622..Y[Y_Y[Ygikioikigy{yyLLLDDDD\|\|\|\|DDDDLLLLDDsqwqsqoQSQWQSQ_QSQWQSf
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: xxxxxxxhhhhhhhh0000000000000$$$<<<<$$$$,,,,$$$$
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~tuvwxy~~txyz{\|}~t
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ?9EFGHIJK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: O66::deZ[\=?=c>>::66p+)/]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_`abcdeZ[\]^_acagacRRVVRRnnrrvvOMKEGEACAGAC'rrvvrrNNRRVV4omkegev-#%61
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: %'#$%&'()..012345679;9ttrstuvwxyjm
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .26:6::>2>>226:&&**.".."ikSQacaoacJM
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: []_][EGEKMIKOARU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: /#%33
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~~~tuvwxyz\|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tuvwx9;9?}@AB
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: JKLMNOXYZ[`abcde<<444<44nopqrsZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXYZ[\]^WXXRRVVRZVVLLDDDvzz$%&'()pppppxhh234567bbf-/%+-uvwxyk5
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: (((((((()*+-/-+575;=?=;575pqrsuwus}lg
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 26622>>226Y[Y_WQSQ_QBE
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: WIZ]stuvRxzC123]5[/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~tuvwxyz{\|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tuvwxyz~z{\|tuvwxyz
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ?9EFGHIJK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: OPQRSZ_`abc>>::66jklmn5+-/-_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_Z[\]^_\\TTTTKIOIKI!xxxxxx()*+,wusmom34567bbf-/-stuvw""72
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: hiqrnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsmnopqrsomkuwu{fbb~~bby{ygiki!"NJJVVZZ*+ACA_ACA34XXXHHHqrko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .6:26622>>2:>>::&&.&*.egekmoWUikx{
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: WY[Y_Y[YWIZ]stuvWWIK+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ,m
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: t6+q1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Zxyz
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: cvapbuqvabs{wb
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: uuawftrr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: s
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tuvwtuvtuv\|}tuvw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 3-QRSTUVW
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikIKSUWUS]_]SUFA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 567D9+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Nl32dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: %s\%V\%s
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~tuvwxyz{\|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tuvwxyz{\|}tuvz{\|}tuvwx
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: i000000deqrjklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijklmnopqrsijkllllttttcagacaacag~rrvLLLTTTT()CAGACA_ACAG56^RRVwx
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ..%&'((((((((8888888789:qsqwqsqqs`c
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: :>>::&&**._ACAGACAOARU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: }567y9n/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: &+8,?E
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: +-n 1,"U4-ic$
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 91ra137F&es
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: r.*
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Y+MerJ5ZFml
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: _
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: I*VE4k
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~tuvwx~~tuvwxz{\|tuvwx
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: \|=AB@AB
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: G..226622>>22lmnoZ?o**..^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoZ[\]^_`abcdefghijklmnoXXXXXXhhhhhhhhxxxxxxxxCA}}{EGEKMOMKEGE[]_][5llddd/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: qrs!"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: &..&&::9;9<<<444/ffjjnTTT\\MH
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: [EGEKM^Ywxyzb2/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXYZ[\]^_`abcefgs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: $#!'!#&**..-/-+50000075;=?qsqwqttt\|\|jm
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 4445753=?=:>>::&&#!'!#!/((cegecdddll}x
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: >2WY[Y_Y[PPPAD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: CEGJEKMONSV
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 456789+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~tuvwxyz{\|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~tuvwxyz{\|}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: xyz\|}z{z{\|}x
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !"#$%&'()*+,-./0123456789:pqrstuvwxyko
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: @@@@DT#7!WI]G\SO6'I@43@@st@@C@@@CD!"GHrKL/BOPdcmaeinhP!01efm;--0G<&2TSRuvG-20`uk`ry89+/
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Ip!-n`E=
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: B24Yw0
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 2
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ;
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~MJTu`Y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: @W4t$krM
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: dle
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 6\|`s
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: VQPUUkkTK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: {}snzhNS\
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 6z
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Z(3Y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: WN1CBQ
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: K{{jh
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: a@"O@\|*
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: r}~mLT,/?Z
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 7*yN
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tn
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: oA\|
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: a
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: xZ~Mi
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 4V<!;bjw3%V.?3p
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: npllX#
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: \|a
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: z7-i)G
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: LXX?v{qazkspaw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: sLCO%DOaHJE&
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: d;y<>MTQK-\
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: nnbyrvjm{nmjrr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ?
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ";H6)4
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: fHFQp
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: rb{dwy
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 2a}
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !=`O
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: pd\|rfbYU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 8{dygt:}{W7N
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: [\-
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 7.(fU5c%RclK
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: {s0R5OgcWOD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: gC~rog`vvoC
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: pv
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: }Hv
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: j}b`dxjkd
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: l*dx%y
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: do;Pe;D>
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: eQw<$\|3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: WueFEGc
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: U{Vhvtim\v
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: S#S3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: cVJA!r4zU
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: <d(*
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: io$q
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: } {rbRGY
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: leA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ^{qwh_
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: w\|e
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: `\|o
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: d{dpa9GA3\|}FVD4
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: s@`iPjJ(3 epx9ML
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 78OW5jyNoFC
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: !)1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 4\col^ivHYr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: nh1"
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: tq}8Tyvpqe~N
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: -yJ+$pzq`-ho+
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: wd
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: _uvaf
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: r
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 4632FD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .Usi
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: t
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: wininet.dr
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: shlwapi.dvz
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: shell32.d
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: &jZB3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: t5N zFuD
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: asfwrdf^gzP4
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ]^(;cLAn;>
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: q0`
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: wcoejdh
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: l
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: mF0
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .rdM8A1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: BxHp*gwTnwqs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: S
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ayDy
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: }Tuh1
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: m
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: P #9"ccIgfue@k35-&
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 1hee
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: P^;nu!D$%+
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ggoizb`p
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Mor
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: eoS^Rs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: VZBzQq{0QFa
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: w{
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: wTFL;rg?ab
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 5ko{88F
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: vjE
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor:
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: eJLN3gy`
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 1obz}#lC
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Vec
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ?)6:f{ $IWB;euL
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: #zvjmuCkS2}wq
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Rrq3
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: uX
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: djiCusEv
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: jJ'
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: zxt
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: `5#nwlw5`
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ?Yn
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: n
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ihsbu
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ?*t}z.O
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: }{_Pzj
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: rr7ZmP
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~7*9?%g5
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: J4FXuHFP6
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ih\w
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: `}~o{
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: lob
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: aimkcZfk
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: e8ytWu3]259
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ~sSZapEw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 6
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: up7[5F8@B7;'e
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: xm\|nxymr~`~ojs\|}~
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: gbzzpeqdx{qfe
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: :$voz]afv6$x
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: dns
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: RTSB49
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: T'&
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: logintg
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 04bsB
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: nvH(
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: Wk
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ging
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: K{{jhX
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: npllX#
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .Usi
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack	String decryptor: login:

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Unpacked PE file: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack

Source: LisectAVT_2403002A_20.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.172.128.26/f993692117a3fda2.php

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: String function: 004043B0 appears 316 times

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456

Source: LisectAVT_2403002A_20.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: 0_2_008A4346 CreateToolhelp32Snapshot,Module32First,

0_2_008A4346

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5264

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c9d13fc-3620-46a0-aed7-b76d5115d46b

Jump to behavior

Source: LisectAVT_2403002A_20.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe "C:\Users\user\Desktop\LisectAVT_2403002A_20.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Unpacked PE file: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Unpacked PE file: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: 0_2_00415ED0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00415ED0

Source: LisectAVT_2403002A_20.exe

Static PE information: real checksum: 0x3c08f should be: 0x3c093

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_004176C5 push ecx; ret	0_2_004176D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_008AC443 pushad ; retf C3E8h	0_2_008AC46B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_0227792C push ecx; ret	0_2_0227793F

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

0_2_00415ED0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

API coverage: 5.0 %

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: 0_2_00401120 GetSystemInfo,ExitProcess,

0_2_00401120

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: LisectAVT_2403002A_20.exe, 00000000.00000002.2193378244.000000000088E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24360
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24363
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24375
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24382
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24501
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24210
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	API call chain: ExitProcess graph end node	graph_0-24383

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00417B4E

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

0_2_00415ED0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h]	0_2_00415DC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_008A3C23 push dword ptr fs:[00000030h]	0_2_008A3C23
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_02276027 mov eax, dword ptr fs:[00000030h]	0_2_02276027
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_0226092B mov eax, dword ptr fs:[00000030h]	0_2_0226092B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_02260D90 mov eax, dword ptr fs:[00000030h]	0_2_02260D90

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_00419DC7 SetUnhandledExceptionFilter,	0_2_00419DC7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417B4E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004173DD
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_02277644 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02277644
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_0227A02E SetUnhandledExceptionFilter,	0_2_0227A02E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe	Code function: 0_2_02277DB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02277DB5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: 0_2_004135E0 GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_004135E0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_20.exe

Code function: 0_2_004143C0 GetUserNameA,

0_2_004143C0

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_20.exe.2290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_20.exe.2260e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Software Packing	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_20.exe	100%	Avira	TR/Kryptik.zlbti

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://185.172.128.26/f993692117a3fda2.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.26/f993692117a3fda2.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482427
Start date and time:	2024-07-25 22:50:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_20.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 16 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: LisectAVT_2403002A_20.exe

Simulations

Behavior and APIs

Time	Type	Description
16:51:54	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_c7b5203bb51c74a66cfecff0322c301d262e365b_1762b4af_22897c61-9cb0-4a6e-8669-723f8d33773a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7840849924563663
Encrypted:	false
SSDEEP:	96:MSCyNXtWsLyhqeLI7qLfHQXIDcQjc6EObQcENcw3UjU+HbHg/8BRTf3o8Fa9SAjk:/CaW2o0094ObQXkjJdzuiFMZ24IO8T
MD5:	5D384B343327C7772448E4BBCB41298B
SHA1:	57D85F0F09D92386040EA13F16685537227D8A83
SHA-256:	11EF7D50F960CD0F50E4FAEADD2AB65646FCBF2746A19674469E8762618AAD7B
SHA-512:	EE479956F5D667ED0AC798BEE1F553ACD8DA9046B68706D337928FCF1DFCA2C2F62521D702507D2A0BF362F550E8CC833D75E849B6063017C5434436E13D6495
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.4.1.4.2.9.7.4.0.6.4.6.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.4.1.4.2.9.7.7.5.0.2.2.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.8.9.7.c.6.1.-.9.c.b.0.-.4.a.6.e.-.8.6.6.9.-.7.2.3.f.8.d.3.3.7.7.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.4.7.5.e.b.8.-.f.9.f.0.-.4.2.3.1.-.b.0.9.e.-.6.f.d.d.c.0.d.b.5.1.2.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.L.i.s.e.c.t.A.V.T._.2.4.0.3.0.0.2.A._.2.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.9.0.-.0.0.0.1.-.0.0.1.4.-.2.d.0.6.-.a.b.7.0.d.4.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.7.8.5.7.3.c.6.3.c.1.e.2.d.8.1.3.f.7.e.1.a.9.c.f.c.0.d.2.8.4.7.0.0.0.0.f.f.f.f.!.0.0.0.0.7.d.f.f.8.7.7.4.f.a.b.b.5.e.6.e.f.3.a.9.a.6.9.5.d.8.9.e.8.c.3.6.9.d.2.c.d.6.f.4.!.L.i.s.e.c.t.A.V.T._.2.4.0.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jul 25 20:51:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	23918
Entropy (8bit):	2.57764770464237
Encrypted:	false
SSDEEP:	96:5k8ql1anLj6Uta61BGHPXExt+Qa0Tnelk/i7pvK+pQ7kB/bIQ291Loqx3QN7WIkp:BofPXG+QRLel8Op9NIV0q5QNPGb5GfO
MD5:	E96E6E773E41F4B74D491F3B76D6C97C
SHA1:	4CED873B4D50D7E435E31F996F56D960A469A102
SHA-256:	D5B770C95BF2BA317E7EAFBCEDC0C345E11E9B4667F26E668CC9BD380A5192AB
SHA-512:	002B7C45C11F97DB38C7BFE7B866D83E428709C2C008A2CC69196C10E8FBA575132956F0B0AE53F7AA20296EAF49D2489B3CABEFE10C499CDAB3F4B25A680134
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........f............4...............<.......................T.......8...........T...........0...>K......................................................................................................eJ......P.......GenuineIntel............T.............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6961642400319263
Encrypted:	false
SSDEEP:	192:R6l7wVeJPjJ6gkoSk56YEIY1SU9NLmgmfqyObb9GpDP89bMJsfOEm:R6lXJ7J6gkjQ6YEnSU9NLmgmfqyObFMD
MD5:	2BE9C08E0AABB659A53CFE369929840A
SHA1:	A31065BA750CE5162DA307E455901B3E2D8FB0A2
SHA-256:	E1F808B3A664114AE03928A421A1029DF3A079893136781558F5C48DE863C244
SHA-512:	49C1A045BE7E3BA1061099EA6E3E0C2AE7C3E521C82C64CB9B160AE23EC36F314D59798E87D56D21283C09AA2C3DA50C32FB653E0A3AFB775F89FD09A01A0EC9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4656
Entropy (8bit):	4.497643293491694
Encrypted:	false
SSDEEP:	48:cvIwWl8zs2NJg77aI9ZjuWpW8VYFYm8M4JEQZFD+q8sACZI5kd:uIjfCI7TjP7VBJ3TZI5kd
MD5:	17858A64A0C9D9F565CEFA9B9FABF4EF
SHA1:	82F2C297937486108EC5D8411071A2DFBE1D4930
SHA-256:	7A81044824BFA241D29B2F6B4C3A7AC146A40F5DC523463146DA881AA8FAA417
SHA-512:	A27FF9854F992D3E8D1A6D3551831A3AE2256F597D4D28BEC306B0AEC798AFE7774886F0280B53A2260A53564224AF63790254D7BD849D67AC12BFEB25494009
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="426954" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421573146259613
Encrypted:	false
SSDEEP:	6144:zSvfpi6ceLP/9skLmb0OToWSPHaJG8nAgeMZMMhA2fX4WABlEnNp0uhiTw:+vloToW+EZMM6DFyX03w
MD5:	1425F1464586D29FF355A95D44BA3500
SHA1:	C64FF9488FD7C1896990823F6F4C4E741B9F0B18
SHA-256:	A9F985348EBFB9F9A6768E7CFB598E45F5C3A09445A60CB5DF7143B47237826C
SHA-512:	CE6E050CF215BAAB833A47B67FA869B52E89B8BD69E6C696D280D2EB8CA41A4D3E8D7D020270B3D18A4FBC8C4B9E37115BED3A5C3590342868F9486FD013D131
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN..q................................................................................................................................................................................................................................................................................................................................................<..E........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5086172286110155
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_20.exe
File size:	234'500 bytes
MD5:	c4d3655d5c8b473292c064ea6392e59e
SHA1:	7dff8774fabb5e6ef3a9a695d89e8c369d2cd6f4
SHA256:	b3a927c1fdd44c0c8f0c819cb62ca6e0fa8362b9fb7d5baa10cd5348e4a20bde
SHA512:	56ba118a982a9d18a386931f1ce5d13339acee83fb81900b6cc48f845311b05bf756d58f969c1a61f307ba12a02d9bc5370bb7cf8c0c910a7fa6347f4a8d9148
SSDEEP:	3072:Hy/JcAzMcvZv2wjNHMk/54RNA5CvIjwRvOYSIxYL7fJSNyoBYTbLOoCAT7ht:HEcuMKv2wjRMNPA56x1T7IJSNfCZT7h
TLSH:	B934DFA032E0C03AD1B71A3148A5DBB14A7ABD726B7941CB7394273E1F716D14ABE353
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..\#.[\#.[\#.[3U.[D#.[3U [(#.[3U![{#.[U[.[W#.[\#.[7#.[3U%[]#.[3U.[]#.[3U.[]#.[Rich\#.[........................PE..L......d...

File Icon


Icon Hash:	1369454d69170717

Static PE Info

General

Entrypoint:	0x401eb1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64020296 [Fri Mar 3 14:22:14 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	321f5991d9ca05f3c2dbb14c7f0cb744

Entrypoint Preview

Instruction
call 00007F2EF0BFF857h
jmp 00007F2EF0BFBA3Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 00411248h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F2EF0BFBBBEh
test byte ptr [eax], 00000008h
je 00007F2EF0BFBBB9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [004110B8h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00433308h], eax
mov dword ptr [00433304h], ecx
mov dword ptr [00433300h], edx
mov dword ptr [004332FCh], ebx
mov dword ptr [004332F8h], esi
mov dword ptr [004332F4h], edi
mov word ptr [00433320h], ss
mov word ptr [00433314h], cs
mov word ptr [004332F0h], ds
mov word ptr [004332ECh], es
mov word ptr [004332E8h], fs
mov word ptr [004332E4h], gs
pushfd
pop dword ptr [00433318h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043330Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00433310h], eax
lea eax, dword ptr [ebp+08h]

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f854	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x136000	0x7d30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x194	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf2a8	0xf400	d711baf54806408b2c6ce710cb4b50a4	False	0.5982165727459017	data	6.650652502380705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x1f18e	0x1f200	672def33384f88932df3cfc9edd3bf53	False	0.6968969628514057	zlib compressed data	6.547948233891078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x31000	0x1042e4	0x2c00	22a92f280a592cbd563bc61d437c9d19	False	0.1581143465909091	data	1.8774694742495086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x136000	0x104d30	0x7e00	95bbc6ed352c5fd42397e62355d7ead0	False	0.5481770833333334	data	5.532829005955218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x13cca8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4276315789473684
RT_ICON	0x136430	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Spanish	Peru	0.43310234541577824
RT_ICON	0x1372d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Spanish	Peru	0.5712996389891697
RT_ICON	0x137b80	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Spanish	Peru	0.6434331797235023
RT_ICON	0x138248	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Spanish	Peru	0.7095375722543352
RT_ICON	0x1387b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Spanish	Peru	0.5577800829875519
RT_ICON	0x13ad58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Spanish	Peru	0.5893527204502814
RT_ICON	0x13be00	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Spanish	Peru	0.6721311475409836
RT_ICON	0x13c788	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Spanish	Peru	0.7039007092198581
RT_DIALOG	0x13cfe0	0x98	data			0.7631578947368421
RT_STRING	0x13d078	0x192	data			0.4925373134328358
RT_STRING	0x13d210	0x5f8	data			0.4352094240837696
RT_STRING	0x13d808	0xbe	data			0.5894736842105263
RT_STRING	0x13d8c8	0x464	data			0.4626334519572954
RT_ACCELERATOR	0x13cc68	0x40	data			0.859375
RT_GROUP_CURSOR	0x13cdd8	0x14	data			1.15
RT_GROUP_ICON	0x13cbf0	0x76	data	Spanish	Peru	0.6610169491525424
RT_VERSION	0x13cdf0	0x1f0	MS Windows COFF PowerPC object file			0.5745967741935484

Imports

DLL	Import
KERNEL32.dll	GetNumaProcessorNode, DebugActiveProcessStop, GetConsoleAliasExesLengthA, SetUnhandledExceptionFilter, InterlockedIncrement, WaitForSingleObject, SetComputerNameW, ConnectNamedPipe, GetModuleHandleW, GetTickCount, LoadLibraryW, GetLocaleInfoW, GetFileAttributesA, HeapCreate, lstrcpynW, GetAtomNameW, FindNextVolumeMountPointW, SetConsoleTitleA, GetConsoleOutputCP, TryEnterCriticalSection, GetLongPathNameW, GetThreadLocale, GetProcAddress, HeapSize, CreateHardLinkW, FindAtomA, GlobalFindAtomW, SetSystemTime, GetModuleFileNameA, SetConsoleTitleW, HeapSetInformation, GetCurrentDirectoryA, SetCalendarInfoA, FindAtomW, CloseHandle, GetLastError, CreateFileA, CreateFileW, ReadFile, FlushFileBuffers, HeapReAlloc, HeapAlloc, GetCommandLineA, GetStartupInfoW, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, DecodePointer, EncodePointer, HeapFree, IsProcessorFeaturePresent, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, EnterCriticalSection, LeaveCriticalSection, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, RtlUnwind, MultiByteToWideChar, SetStdHandle, WriteConsoleW, LCMapStringW, GetStringTypeW
USER32.dll	CopyRect, GetMonitorInfoW, LoadIconW
ADVAPI32.dll	RegCreateKeyW
ole32.dll	CoTaskMemFree
WINHTTP.dll	WinHttpOpen

Possible Origin

Language of compilation system	Country where language is spoken	Map
Spanish	Peru

Target ID:	0
Start time:	16:51:36
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_20.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_20.exe"
Imagebase:	0x400000
File size:	234'500 bytes
MD5 hash:	C4D3655D5C8B473292C064EA6392E59E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000003.2017654737.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:51:37
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 456
Imagebase:	0x7a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	12.5%
Signature Coverage:	9.7%
Total number of Nodes:	393
Total number of Limit Nodes:	13

Executed Functions

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,008A1830), ref: 00415F11
GetProcAddress.KERNEL32(?,008A1980), ref: 00415F2A
GetProcAddress.KERNEL32(?,008A1758), ref: 00415F42
GetProcAddress.KERNEL32(?,008A18D8), ref: 00415F5A
GetProcAddress.KERNEL32(?,008A1890), ref: 00415F73
GetProcAddress.KERNEL32(?,00898500), ref: 00415F8B
GetProcAddress.KERNEL32(?,00897610), ref: 00415FA3
GetProcAddress.KERNEL32(?,00897650), ref: 00415FBC
GetProcAddress.KERNEL32(?,008A1848), ref: 00415FD4
GetProcAddress.KERNEL32(?,008A1860), ref: 00415FEC
GetProcAddress.KERNEL32(?,008A1878), ref: 00416005
GetProcAddress.KERNEL32(?,008A1710), ref: 0041601D
GetProcAddress.KERNEL32(?,008976D0), ref: 00416035
GetProcAddress.KERNEL32(?,008A1998), ref: 0041604E
GetProcAddress.KERNEL32(?,008A18A8), ref: 00416066
GetProcAddress.KERNEL32(?,008974D0), ref: 0041607E
GetProcAddress.KERNEL32(?,008A18F0), ref: 00416097
GetProcAddress.KERNEL32(?,008A1908), ref: 004160AF
GetProcAddress.KERNEL32(?,00897410), ref: 004160C7
GetProcAddress.KERNEL32(?,008A1920), ref: 004160E0
GetProcAddress.KERNEL32(?,008976F0), ref: 004160F8
LoadLibraryA.KERNEL32(008A1938,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(008A1950,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(008A1968,?,004136C0), ref: 0041612D
LoadLibraryA.KERNELBASE(008A16B0,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(008A16C8,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75070000,008A1728), ref: 00416172
GetProcAddress.KERNEL32(75FD0000,008A1740), ref: 00416193
GetProcAddress.KERNEL32(75FD0000,008A19C8), ref: 004161AB
GetProcAddress.KERNEL32(?,008A1A28), ref: 004161CD
GetProcAddress.KERNEL32(74E50000,008973F0), ref: 004161EE
GetProcAddress.KERNEL32(76E80000,00898510), ref: 0041620F
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Function 004135E0 Relevance: 6.1, APIs: 4, Instructions: 67
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTime.KERNEL32(0041D8AC,?,?,004137D1,00000000,?,00898530,?,0041D8AC,?,00000000,?), ref: 0041362C
SystemTimeToFileTime.KERNEL32(0041D8AC,00000000,?,?,?,?,?,?,?,?,?,?,?,00898530,?,0041D8AC), ref: 00413672
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00898530,?,0041D8AC), ref: 00413680
ExitProcess.KERNEL32 ref: 0041369A

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcess
String ID:
API String ID: 56602140-0
Opcode ID: 1317ddf1f9c1afdd93909f223843f69075992d328c88535c6b58c76ddc48183c
Instruction ID: a268315634fda69ed0a537ef202e87298384d27024bdd5aae2ec85167a5c17e0
Opcode Fuzzy Hash: 1317ddf1f9c1afdd93909f223843f69075992d328c88535c6b58c76ddc48183c
Instruction Fuzzy Hash: 6421BA75D14209ABCB14EFE4D945AEEB7BABF4C305F04852EE50AE3250EB345644CB68

Function 008A4346 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008A436E
Module32First.KERNEL32(00000000,00000224), ref: 008A438E

Memory Dump Source

Source File: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, Offset: 008A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a3000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: db42fd02b738cd0701d6bed4671acce1660fdf86cd4eb87f53b7994de0db66d5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 9FF06231100715ABEF207AF9988DE6BB6ECFFCA725F101528F646D19C0DBB0E8454661

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Function 004143C0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Function 00405610 Relevance: 23.0, APIs: 8, Strings: 7, Instructions: 493
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5

lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,00000000,00000000,?,00000000,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8

Strings

-A, xrefs: 00405620, 00405D27, 00405623
", xrefs: 00405AC6
------, xrefs: 004058BB
------, xrefs: 00405746
------, xrefs: 004059FC
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
", xrefs: 00405985

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen$memcpy
String ID: "$"$------$------$------$-A$-A
API String ID: 2995824467-602752961
Opcode ID: dddef2f3b1b428b329413e3e7d9bc69cc52025673dfceb6067fff80238abe11d
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: dddef2f3b1b428b329413e3e7d9bc69cc52025673dfceb6067fff80238abe11d
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Function 0226003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0226024D

Strings

cess, xrefs: 0226018D
kernel32.dll, xrefs: 0226008F, 02260095

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f0866a4a534265b635c4f48f5103a6679655d60997b2cb50cb092b7cbc6e10b9
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 60527975A11229DFDB64CF98C984BACBBB1BF09304F1480D9E90DAB355DB30AA85DF14

Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1830), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1980), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1758), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A18D8), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1890), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,00898500), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,00897610), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,00897650), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1848), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1860), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1878), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1710), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008976D0), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(?,008A1998), ref: 0041604E

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: VirtualAllocExNuma.KERNELBASE(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

GetUserDefaultLangID.KERNELBASE ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00898530,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,00898530,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AddressProc$ExitProcess$CloseHandleNameUser__aulldiv$AllocComputerDefaultEventGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrlen
String ID:
API String ID: 430313853-0
Opcode ID: 19e3f2ad90109acb9ecb49a28c3fe414203e82b8baa863b8814d0b1a2f2bc6c1
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 19e3f2ad90109acb9ecb49a28c3fe414203e82b8baa863b8814d0b1a2f2bc6c1
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Function 004137B3 Relevance: 4.5, APIs: 3, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00898530,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,00898530,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: CloseHandle$EventExitOpenProcessSleep
String ID:
API String ID: 139424489-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Function 004010D0 Relevance: 3.0, APIs: 2, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AllocExitNumaProcessVirtual
String ID:
API String ID: 2517686967-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Function 02260E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02260223,?,?), ref: 02260E19
SetErrorMode.KERNELBASE(00000000,?,?,02260223,?,?), ref: 02260E1E

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 01df04ff48ef7195399de051aa7a3bf3c448f718d79b6c25c3f555e1db7778fa
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: F4D0123255512877D7002AD4DC0DBDD7B1CDF09B66F008011FB0DD9080C770964046E5

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Function 00414400 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Name$ComputerExitProcessUser
String ID:
API String ID: 162832415-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Function 008A4005 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008A4056

Memory Dump Source

Source File: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, Offset: 008A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a3000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 199f9fcb6f0f0a92e9c516c3276bd2ca6ce9b83090f783d191d7f128259a0963
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 24113C79A00208EFDB01DF98C985E98BBF5EF08350F058094FA489B362D371EA50EF80

Non-executed Functions

Function 02277DB5 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 022790AD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 022790C2
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 022790CD
GetCurrentProcess.KERNEL32(C0000409), ref: 022790E9
TerminateProcess.KERNEL32(00000000), ref: 022790F0

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: a104de4dfc4d612c0f19e6a67c80ccd02dab0ae425f09a20843066b21af47b97
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 4721EF78A11304EFC320EF64F844B543BB4FB8C305F81907AE65887260E7B456868F9D

Function 00417B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E5B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E66
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E82
TerminateProcess.KERNEL32(00000000), ref: 00418E89

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 5828a94612e18b022276c58097a982c86e574ee0b254963d5fd3238681fe770b
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 2D21C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64987260E7B456868F9D

Function 0226092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 022609DC, 022609DF, 022609E4
l, xrefs: 02260966
., xrefs: 0226095F

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 46277bdeb2be833d4433bb61865e73492ba3e9ff6cef753ff34ece147b5d36ee
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 7B3169B6911609CFDB20CF99C884BAEBBF6FF08724F14414AD441A7354D7B1EA85CBA4

Function 0227A02E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00419D85), ref: 0227A033

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 070a293f5fd72a4302476959d8ba9f25930c1a77546e2223ef40415f4a224816
Instruction ID: a2f7eb20247afb77339b0084df5ee2fab041c51b9664aeb6610f0aa757957e44
Opcode Fuzzy Hash: 070a293f5fd72a4302476959d8ba9f25930c1a77546e2223ef40415f4a224816
Instruction Fuzzy Hash: 0290027069124446460057B06C1D6966A95AA8C60679144E5E125C405DEB644448555D

Function 00419DC7 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00019D85), ref: 00419DCC

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 070a293f5fd72a4302476959d8ba9f25930c1a77546e2223ef40415f4a224816
Instruction ID: a2f7eb20247afb77339b0084df5ee2fab041c51b9664aeb6610f0aa757957e44
Opcode Fuzzy Hash: 070a293f5fd72a4302476959d8ba9f25930c1a77546e2223ef40415f4a224816
Instruction Fuzzy Hash: 0290027069124446460057B06C1D6966A95AA8C60679144E5E125C405DEB644448555D

Function 008A3C23 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193515267.00000000008A3000.00000040.00000020.00020000.00000000.sdmp, Offset: 008A3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8a3000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 0aec9357faa2ec1ef16d740a5ff65a5dbedb7c5c79760830d5297a6a34bd7ad6
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 89115E72340200AFE744DE59DC85EA673EAFB89330B298055ED04DB712D675ED41C760

Function 02260D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 371a13851f7bc2430136147e6f126d967e8cbc76b975b0e557f27e01474f70d8
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 6B01F7736206008FDF21CFA0C808FBE33E9FB86205F0541A4E90797285E370AA818B80

Function 02276027 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00415DC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 02279791 Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 022797A5

Part of subcall function 022774AE: HeapFree.KERNEL32(00000000,00000000,?,022773BF,?,?,02266DBF), ref: 022774C4
Part of subcall function 022774AE: GetLastError.KERNEL32(?,?,022773BF,?,?,02266DBF), ref: 022774D6

_free.LIBCMT ref: 022797AD
_free.LIBCMT ref: 022797B5
_free.LIBCMT ref: 022797BD
_free.LIBCMT ref: 022797C5
_free.LIBCMT ref: 022797CD
_free.LIBCMT ref: 022797D4
_free.LIBCMT ref: 022797DC
_free.LIBCMT ref: 022797E4
_free.LIBCMT ref: 022797EC
_free.LIBCMT ref: 022797F4
_free.LIBCMT ref: 022797FC
_free.LIBCMT ref: 02279804
_free.LIBCMT ref: 0227980C
_free.LIBCMT ref: 02279814
_free.LIBCMT ref: 0227981C
_free.LIBCMT ref: 02279827
_free.LIBCMT ref: 0227982F
_free.LIBCMT ref: 02279837
_free.LIBCMT ref: 0227983F
_free.LIBCMT ref: 02279847
_free.LIBCMT ref: 0227984F
_free.LIBCMT ref: 02279857
_free.LIBCMT ref: 0227985F
_free.LIBCMT ref: 02279867
_free.LIBCMT ref: 0227986F
_free.LIBCMT ref: 02279877
_free.LIBCMT ref: 0227987F
_free.LIBCMT ref: 02279887
_free.LIBCMT ref: 0227988F
_free.LIBCMT ref: 02279897
_free.LIBCMT ref: 0227989F
_free.LIBCMT ref: 022798AD
_free.LIBCMT ref: 022798B8
_free.LIBCMT ref: 022798C3
_free.LIBCMT ref: 022798CE
_free.LIBCMT ref: 022798D9
_free.LIBCMT ref: 022798E4
_free.LIBCMT ref: 022798EF
_free.LIBCMT ref: 022798FA
_free.LIBCMT ref: 02279905
_free.LIBCMT ref: 02279910
_free.LIBCMT ref: 0227991B
_free.LIBCMT ref: 02279926
_free.LIBCMT ref: 02279931
_free.LIBCMT ref: 0227993C
_free.LIBCMT ref: 02279947
_free.LIBCMT ref: 02279952
_free.LIBCMT ref: 02279960
_free.LIBCMT ref: 0227996B
_free.LIBCMT ref: 02279976
_free.LIBCMT ref: 02279981
_free.LIBCMT ref: 0227998C
_free.LIBCMT ref: 02279997
_free.LIBCMT ref: 022799A2
_free.LIBCMT ref: 022799AD
_free.LIBCMT ref: 022799B8
_free.LIBCMT ref: 022799C3
_free.LIBCMT ref: 022799CE
_free.LIBCMT ref: 022799D9
_free.LIBCMT ref: 022799E4
_free.LIBCMT ref: 022799EF
_free.LIBCMT ref: 022799FA
_free.LIBCMT ref: 02279A05
_free.LIBCMT ref: 02279A13
_free.LIBCMT ref: 02279A1E
_free.LIBCMT ref: 02279A29
_free.LIBCMT ref: 02279A34
_free.LIBCMT ref: 02279A3F
_free.LIBCMT ref: 02279A4A
_free.LIBCMT ref: 02279A55
_free.LIBCMT ref: 02279A60
_free.LIBCMT ref: 02279A6B
_free.LIBCMT ref: 02279A76
_free.LIBCMT ref: 02279A81
_free.LIBCMT ref: 02279A8C
_free.LIBCMT ref: 02279A97
_free.LIBCMT ref: 02279AA2
_free.LIBCMT ref: 02279AAD
_free.LIBCMT ref: 02279AB8
_free.LIBCMT ref: 02279AC6
_free.LIBCMT ref: 02279AD1
_free.LIBCMT ref: 02279ADC
_free.LIBCMT ref: 02279AE7
_free.LIBCMT ref: 02279AF2
_free.LIBCMT ref: 02279AFD

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 36fc7fe13847c8907379b30b108c4ce372182c876a5f8addfd845b575ea14b7f
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: C971C031825B249ED7623BB1DE13A59FEB37F04320F23C93491B620D349A326865BE5D

Function 0041952A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041953E

Part of subcall function 00417247: HeapFree.KERNEL32(00000000,00000000,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041725D
Part of subcall function 00417247: GetLastError.KERNEL32(?,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041726F

_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955E
_free.LIBCMT ref: 00419566
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195AD
_free.LIBCMT ref: 004195B5
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419630
_free.LIBCMT ref: 00419638
_free.LIBCMT ref: 00419646
_free.LIBCMT ref: 00419651
_free.LIBCMT ref: 0041965C
_free.LIBCMT ref: 00419667
_free.LIBCMT ref: 00419672
_free.LIBCMT ref: 0041967D
_free.LIBCMT ref: 00419688
_free.LIBCMT ref: 00419693
_free.LIBCMT ref: 0041969E
_free.LIBCMT ref: 004196A9
_free.LIBCMT ref: 004196B4
_free.LIBCMT ref: 004196BF
_free.LIBCMT ref: 004196CA
_free.LIBCMT ref: 004196D5
_free.LIBCMT ref: 004196E0
_free.LIBCMT ref: 004196EB
_free.LIBCMT ref: 004196F9
_free.LIBCMT ref: 00419704
_free.LIBCMT ref: 0041970F
_free.LIBCMT ref: 0041971A
_free.LIBCMT ref: 00419725
_free.LIBCMT ref: 00419730
_free.LIBCMT ref: 0041973B
_free.LIBCMT ref: 00419746
_free.LIBCMT ref: 00419751
_free.LIBCMT ref: 0041975C
_free.LIBCMT ref: 00419767
_free.LIBCMT ref: 00419772
_free.LIBCMT ref: 0041977D
_free.LIBCMT ref: 00419788
_free.LIBCMT ref: 00419793
_free.LIBCMT ref: 0041979E
_free.LIBCMT ref: 004197AC
_free.LIBCMT ref: 004197B7
_free.LIBCMT ref: 004197C2
_free.LIBCMT ref: 004197CD
_free.LIBCMT ref: 004197D8
_free.LIBCMT ref: 004197E3
_free.LIBCMT ref: 004197EE
_free.LIBCMT ref: 004197F9
_free.LIBCMT ref: 00419804
_free.LIBCMT ref: 0041980F
_free.LIBCMT ref: 0041981A
_free.LIBCMT ref: 00419825
_free.LIBCMT ref: 00419830
_free.LIBCMT ref: 0041983B
_free.LIBCMT ref: 00419846
_free.LIBCMT ref: 00419851
_free.LIBCMT ref: 0041985F
_free.LIBCMT ref: 0041986A
_free.LIBCMT ref: 00419875
_free.LIBCMT ref: 00419880
_free.LIBCMT ref: 0041988B
_free.LIBCMT ref: 00419896

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 5df7b21d12798ad2dd02b2714939a7e9e3589bb161cd2ca89e36415dbd51ea28
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: AE71E331494B009BD7633B32DD03ADA7AB27F04304F10596EB1FB20632DA3678E79A59

Function 02276137 Relevance: 49.7, APIs: 33, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00625074,00624A00), ref: 02276178
GetProcAddress.KERNEL32(00625074,00624DA4), ref: 02276191
GetProcAddress.KERNEL32(00625074,00624E10), ref: 022761A9
GetProcAddress.KERNEL32(00625074,00624A60), ref: 022761C1
GetProcAddress.KERNEL32(00625074,00624A4C), ref: 022761DA
GetProcAddress.KERNEL32(00625074,00624AEC), ref: 022761F2
GetProcAddress.KERNEL32(00625074,00624CB8), ref: 0227620A
GetProcAddress.KERNEL32(00625074,00624B30), ref: 02276223
GetProcAddress.KERNEL32(00625074,00624D84), ref: 0227623B
GetProcAddress.KERNEL32(00625074,00624D28), ref: 02276253
GetProcAddress.KERNEL32(00625074,00624BAC), ref: 0227626C
GetProcAddress.KERNEL32(00625074,00624AE0), ref: 02276284
GetProcAddress.KERNEL32(00625074,00624DD8), ref: 0227629C
GetProcAddress.KERNEL32(00625074,006248B0), ref: 022762B5
GetProcAddress.KERNEL32(00625074,00624D7C), ref: 022762CD
GetProcAddress.KERNEL32(00625074,00624A20), ref: 022762E5
GetProcAddress.KERNEL32(00625074,00624C08), ref: 022762FE
GetProcAddress.KERNEL32(00625074,00624E00), ref: 02276316
GetProcAddress.KERNEL32(00625074,006248BC), ref: 0227632E
GetProcAddress.KERNEL32(00625074,00624928), ref: 02276347
GetProcAddress.KERNEL32(00625074,00624AAC), ref: 0227635F
LoadLibraryA.KERNEL32(00624D30,?,02273927), ref: 02276371
LoadLibraryA.KERNEL32(00624978,?,02273927), ref: 02276382
LoadLibraryA.KERNEL32(00624900,?,02273927), ref: 02276394
LoadLibraryA.KERNEL32(006249D8,?,02273927), ref: 022763A6
LoadLibraryA.KERNEL32(00624B1C,?,02273927), ref: 022763B7
GetProcAddress.KERNEL32(00624E98,00624C94), ref: 022763D9
GetProcAddress.KERNEL32(00624FB8,00624C14), ref: 022763FA
GetProcAddress.KERNEL32(00624FB8,006249C8), ref: 02276412
GetProcAddress.KERNEL32(006250A8,00624B88), ref: 02276434
GetProcAddress.KERNEL32(00624F6C,00624924), ref: 02276455
GetProcAddress.KERNEL32(00624F9C,00624C04), ref: 02276476
GetProcAddress.KERNEL32(00624F9C,0041D12C), ref: 0227648D

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 0da3fa948a558328a822f73e75036f8ab5887911ada141a94d495682c794e059
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: C5A15FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A4DF759482CF91

Function 0040EA90 Relevance: 38.9, APIs: 12, Strings: 10, Instructions: 363stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5

Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A

strtok_s.MSVCRT ref: 0040EB5B
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

lstrlen.KERNEL32(00000000), ref: 0040EC1D
lstrlen.KERNEL32(00000000), ref: 0040EC67
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

<Host>, xrefs: 0040EBBC
password: , xrefs: 0040EE3B
<User>, xrefs: 0040EC50
browser: FileZilla, xrefs: 0040ED99
url: , xrefs: 0040EDB7
login: , xrefs: 0040EE0A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
<Pass encoding="base64">, xrefs: 0040EC9A
<Port>, xrefs: 0040EC06
profile: null, xrefs: 0040EDA8

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen$strtok_s$CloseHandlemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 62063689-555421843
Opcode ID: 94138ede758836c146890e655253faacc7f37dc3b4ee1b7591c8aaee1c92a62f
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: 94138ede758836c146890e655253faacc7f37dc3b4ee1b7591c8aaee1c92a62f
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Function 0226ECF7 Relevance: 18.4, APIs: 12, Instructions: 363stringCOMMON

Download Yara Rule

APIs

Part of subcall function 02277217: lstrlen.KERNEL32(?,006249EC,?,004215A4,0041D7D6), ref: 0227722C

Part of subcall function 02269607: CloseHandle.KERNEL32(000000FF), ref: 022696E1

strtok_s.MSVCRT ref: 0226EDC2
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EE3A

Part of subcall function 02275207: malloc.MSVCRT ref: 0227520F
Part of subcall function 02275207: strncpy.MSVCRT ref: 0227522A

lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EE84
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EECE
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EF1C
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EFA9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EFC1
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EFD9
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226EFF1
strtok_s.MSVCRT ref: 0226F120
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0226F135
memset.MSVCRT ref: 0226F17E

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen$strtok_s$CloseHandlemallocmemsetstrncpy
String ID:
API String ID: 62063689-0
Opcode ID: b16d59508813708b1d92d6ee10662e8f39c45857b8dfa9bcd2ae4a529fc321c5
Instruction ID: 33588062f827b8af9fd3d2a500138d1a5dc3132c8ee5a3a1c39d2d32f095a015
Opcode Fuzzy Hash: b16d59508813708b1d92d6ee10662e8f39c45857b8dfa9bcd2ae4a529fc321c5
Instruction Fuzzy Hash: 7DD13EB2D14208ABCB14FBE4DD99EFEB73AAF54300F504419F106AA198DF749A45CFA4

Function 02278AAA Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 02278AB6

Part of subcall function 02277D93: __getptd_noexit.LIBCMT ref: 02277D96
Part of subcall function 02277D93: __amsg_exit.LIBCMT ref: 02277DA3

__amsg_exit.LIBCMT ref: 02278AD6
__lock.LIBCMT ref: 02278AE6
InterlockedDecrement.KERNEL32(?), ref: 02278B03
_free.LIBCMT ref: 02278B16
InterlockedIncrement.KERNEL32(05B), ref: 02278B2E

Strings

05B, xrefs: 02278B1C, 02278B24, 02278B2D
05B, xrefs: 02278B0D

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B$05B
API String ID: 3470314060-1918097640
Opcode ID: 30fd09fcb36eb232e569ea581c467d664f2ee35282cbedbbd802be78d6068a8c
Instruction ID: 58f0b02c77bb3be767a0362c248c48aee1eca5b625d9cdf37a52fa7e1e808265
Opcode Fuzzy Hash: 30fd09fcb36eb232e569ea581c467d664f2ee35282cbedbbd802be78d6068a8c
Instruction Fuzzy Hash: 8101DB71F29722ABC720AFE5980975EBB71FF05721F404025E410A7688CB785581EFD6

Function 00411650 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00411838
%s\%s\%s, xrefs: 004117DB
%s\*, xrefs: 0041165D
%s\%s, xrefs: 00411714
%s\%s, xrefs: 004117FD

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 0-2524465048
Opcode ID: a38c34432e6badff7eed53cef2cb006e7e01620f7d465891b9819aabf743dff9
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: a38c34432e6badff7eed53cef2cb006e7e01620f7d465891b9819aabf743dff9
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E
OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 1606381396-4138519520
Opcode ID: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Function 00418843 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041884F

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__amsg_exit.LIBCMT ref: 0041886F
__lock.LIBCMT ref: 0041887F
InterlockedDecrement.KERNEL32(?), ref: 0041889C
_free.LIBCMT ref: 004188AF
InterlockedIncrement.KERNEL32(00423530), ref: 004188C7

Strings

05B, xrefs: 004188B5, 004188BD

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: f16d68fd9582ac4125616c5e50f94de62243aa4c7be40d45a23fde697d24a6fa
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 4501AD32A05621ABD720BF6A98057CA7770AF04725F90402FF810A3390CB7CA9C2CBDD

Function 00404540 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 479stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5

lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,00000000), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4

Strings

------, xrefs: 00404929
------, xrefs: 0040467D
", xrefs: 004048B2
", xrefs: 004049F3
------, xrefs: 004047E8

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: "$"$------$------$------
API String ID: 1659193697-2180234286
Opcode ID: 34ff306594498cb419d8f3a4553490a1d4df36bd29bd2e5878c3e8e9be38561f
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 34ff306594498cb419d8f3a4553490a1d4df36bd29bd2e5878c3e8e9be38561f
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Function 0040B250 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E

lstrlen.KERNEL32(00000000), ref: 0040B44D
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountTokens, xrefs: 0040B28A
AccountTokens, xrefs: 0040B319
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountId, xrefs: 0040B472

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 3317826854-1079375795
Opcode ID: 1ee09189f74538e519833edc0d23ec70a08f9fcf4db5531c31ec3b9a83490509
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 1ee09189f74538e519833edc0d23ec70a08f9fcf4db5531c31ec3b9a83490509
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Function 00413BC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BDF
??_U@YAPAXI@Z.MSVCRT ref: 00413C0D

Part of subcall function 00413890: strlen.MSVCRT ref: 004138A1
Part of subcall function 00413890: strlen.MSVCRT ref: 004138C5

VirtualQueryEx.KERNEL32(00413FCD,00000000,?,0000001C), ref: 00413C52
??_V@YAXPAX@Z.MSVCRT ref: 00413D73

Part of subcall function 00413AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AB8

Strings

@, xrefs: 00413C66
Z>A, xrefs: 00413C38, 00413C3B

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$Z>A
API String ID: 2950663791-2427737632
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 18b3d1c53e1ab9283c7d4f20bb5e0d2682d9205760932c7229ac25ba092b9e39
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 2851F9B5D00109ABDB04CF98E981AEFB7B5FF88305F108119F919A7340D738AA51CBA5

Function 004012D0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7
lstrlen.KERNEL32(?), ref: 0040131C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,00000000,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 004093A0: CloseHandle.KERNEL32(000000FF), ref: 0040947A

memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A

Strings

SOFTWARE\monero-project\monero-core, xrefs: 004012F5
\Monero\wallet.keys, xrefs: 0040134D
.keys, xrefs: 0040132B
wallet_path, xrefs: 004012F0

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen$memset$CloseHandleSystemTime
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 3513846868-218353709
Opcode ID: 544a29b48099084aee3e2fc4cd677dd114ad60dddebe7d92c1295d5e13c1ab67
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 544a29b48099084aee3e2fc4cd677dd114ad60dddebe7d92c1295d5e13c1ab67
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Function 00413430 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00413465
ExitProcess.KERNEL32 ref: 0041346F
ExitProcess.KERNEL32 ref: 00413479
ExitProcess.KERNEL32 ref: 00413483
ExitProcess.KERNEL32 ref: 0041348D

Strings

*, xrefs: 0041344C

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: *
API String ID: 621844428-163128923
Opcode ID: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction ID: 75b540bad49881e9417c8f8c63d74940121d586cf5f959f7794e893d96f52075
Opcode Fuzzy Hash: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction Fuzzy Hash: 4BF05830508608EFE364EFE0EF0976CBBB1EB8E703F001195E60A86290CA744A119B65

Function 02265877 Relevance: 10.5, APIs: 8, Instructions: 493stringCOMMON

Download Yara Rule

APIs

Part of subcall function 022646D7: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 0226475D

Part of subcall function 02277217: lstrlen.KERNEL32(?,006249EC,?,004215A4,0041D7D6), ref: 0227722C

lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,0041E0DC,00000000,?,006248EC,00000000,?,00624AE4,00000000,?,0041E0D8), ref: 02265D85
lstrlen.KERNEL32(00000000), ref: 02265D96
lstrlen.KERNEL32(00000000), ref: 02265DC3
memcpy.MSVCRT ref: 02265DDA
lstrlen.KERNEL32(00000000), ref: 02265DEC
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 02265E05
memcpy.MSVCRT ref: 02265E12
lstrlen.KERNEL32(00000000,?,?), ref: 02265E2F

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen$memcpy
String ID:
API String ID: 2995824467-0
Opcode ID: 8b814884cedf4fc81417a9552fa435a5da42abb82068080e2803263974605ad5
Instruction ID: 893bf26f54e980076f4d6326ae4a9edb398e76d5ca4f7d427ceba5b7afe12e95
Opcode Fuzzy Hash: 8b814884cedf4fc81417a9552fa435a5da42abb82068080e2803263974605ad5
Instruction Fuzzy Hash: BD12DE75924228ABCB15EBE0DC94FEEB37ABF54700F504199E106B21A4EF706E89CF50

Function 02273FF7 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 02274005
OpenProcess.KERNEL32(001FFFFF,00000000,02274234,0041D28B), ref: 02274043
memset.MSVCRT ref: 02274091
??_V@YAXPAX@Z.MSVCRT ref: 022741E5

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID:
API String ID: 1606381396-0
Opcode ID: 1a26b6fa8bdaeb359c51be8f7994c2d1375265ef96f370ef8ce744ae01cba673
Instruction ID: 9e4a7dac6d30e6210e9ca2e099ec1be4c7808242bd42477b32bef382bb7c3a4a
Opcode Fuzzy Hash: 1a26b6fa8bdaeb359c51be8f7994c2d1375265ef96f370ef8ce744ae01cba673
Instruction Fuzzy Hash: D8519FB0C142189FDB24EBD0DC94BEEB775EF58304F1041A9E515B7294EB746A84CF58

Function 00417BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417BAE

Part of subcall function 00417641: __mtinitlocknum.LIBCMT ref: 00417657
Part of subcall function 00417641: __amsg_exit.LIBCMT ref: 00417663
Part of subcall function 00417641: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D,?,?,00417158,00000000,00421AC0,0041719F), ref: 0041766B

DecodePointer.KERNEL32(004219C8,00000020,00417CF1,00000000,00000001,00000000,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D), ref: 00417BEA
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417BFB

Part of subcall function 004179C2: EncodePointer.KERNEL32(00000000,004191B2,00423DC8,00000314,00000000,?,?,?,?,?,00417F08,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179C4

DecodePointer.KERNEL32(-00000004,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C21
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C34
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C3E

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: 2ecc3aad81c9b81e2b27e7e3d170e1f8428b359c85680f8586e03e13f1a28f2c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 39314C70A58309DBDF509FA9D8846DDBBF1BB48314F10802BE001A6290EB7C49C5CFAD

Function 02273E27 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 02273E46
??_U@YAPAXI@Z.MSVCRT ref: 02273E74

Part of subcall function 02273AF7: strlen.MSVCRT ref: 02273B08
Part of subcall function 02273AF7: strlen.MSVCRT ref: 02273B2C

VirtualQueryEx.KERNEL32(02274234,00000000,?,0000001C), ref: 02273EB9
??_V@YAXPAX@Z.MSVCRT ref: 02273FDA

Part of subcall function 02273D07: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 02273D1F

Strings

@, xrefs: 02273ECD

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 691aba4177d4055ed7756e040e1950957e786b7a143df09ca99d20bb9e2726a0
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 1151F4B1A1410AABDB04CFD8D891AEFB7B6FF88300F008159F919A7244D735EA11DBA1

Function 02278C93 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 02278CC4
GetCPInfo.KERNEL32(?,?), ref: 02278CD7
memset.MSVCRT ref: 02278CEF
setSBUpLow.LIBCMT ref: 02278DC5

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: 6951f29c36c94b1d073d54955c1dcc818f8d448c9a4e816d0e34e81470273be2
Instruction ID: 311b67c8d0f25270221705016a49e6793b3f50e9b72a4fad8bca4f1be42d03f9
Opcode Fuzzy Hash: 6951f29c36c94b1d073d54955c1dcc818f8d448c9a4e816d0e34e81470273be2
Instruction Fuzzy Hash: 54313E31A2C2568FD7259FB4C84837ABFA09F45314F1845AEE891DE189C774C405E753

Function 02273917 Relevance: 7.6, APIs: 5, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624A00), ref: 02276178
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624DA4), ref: 02276191
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624E10), ref: 022761A9
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624A60), ref: 022761C1
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624A4C), ref: 022761DA
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624AEC), ref: 022761F2
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624CB8), ref: 0227620A
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624B30), ref: 02276223
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624D84), ref: 0227623B
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624D28), ref: 02276253
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624BAC), ref: 0227626C
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624AE0), ref: 02276284
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,00624DD8), ref: 0227629C
Part of subcall function 02276137: GetProcAddress.KERNEL32(00625074,006248B0), ref: 022762B5

Part of subcall function 022613F7: ExitProcess.KERNEL32 ref: 02261438

Part of subcall function 02261387: GetSystemInfo.KERNEL32(?), ref: 02261391
Part of subcall function 02261387: ExitProcess.KERNEL32 ref: 022613A5

Part of subcall function 02261337: ExitProcess.KERNEL32 ref: 0226136A

Part of subcall function 02261447: __aulldiv.LIBCMT ref: 0226147F
Part of subcall function 02261447: __aulldiv.LIBCMT ref: 0226148D
Part of subcall function 02261447: ExitProcess.KERNEL32 ref: 022614BB

Part of subcall function 022613B7: ExitProcess.KERNEL32 ref: 022613ED

Part of subcall function 02274627: GetUserNameA.ADVAPI32(?,00000104), ref: 02274653

Part of subcall function 02277217: lstrlen.KERNEL32(?,006249EC,?,004215A4,0041D7D6), ref: 0227722C

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00624D20,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 022739F1
CloseHandle.KERNEL32(00000000), ref: 02273A20
Sleep.KERNEL32(00001770), ref: 02273A2B
CloseHandle.KERNEL32(?,00000000,?,00624D20,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 02273A41
ExitProcess.KERNEL32 ref: 02273A49

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: AddressProc$ExitProcess$CloseHandle__aulldiv$EventInfoNameOpenSleepSystemUserlstrlen
String ID:
API String ID: 4169746731-0
Opcode ID: 46515f5eae24d0a6147c7cb61a4b11b40ebb98da62e4e0d1738e1df983633f24
Instruction ID: 28fc4073c6f7635c97123d15eda46860effa48664e08958445920723bb061692
Opcode Fuzzy Hash: 46515f5eae24d0a6147c7cb61a4b11b40ebb98da62e4e0d1738e1df983633f24
Instruction Fuzzy Hash: 7C314C71D68308AADB14FBF0DC59FFDB77AAF54301F004518A112A6298EFB0A905CF61

Function 0227880E Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0227881A

Part of subcall function 02277D93: __getptd_noexit.LIBCMT ref: 02277D96
Part of subcall function 02277D93: __amsg_exit.LIBCMT ref: 02277DA3

__getptd.LIBCMT ref: 02278831
__amsg_exit.LIBCMT ref: 0227883F
__lock.LIBCMT ref: 0227884F
__updatetlocinfoEx_nolock.LIBCMT ref: 02278863

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: cc7480a914060d8b5643a9d0b0f25a761215b1338a518c63d358d0bb6fed0dfa
Instruction ID: 838fc6fb187795c061a9e8f19a0dbc47cd0cacb2e2819e841037598d99bd5852
Opcode Fuzzy Hash: cc7480a914060d8b5643a9d0b0f25a761215b1338a518c63d358d0bb6fed0dfa
Instruction Fuzzy Hash: 76F0B432E2D314EBD721BFF4980975D73A2AF00721F904129E408A72D9CBB85541EE5B

Function 004185A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185B3

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__getptd.LIBCMT ref: 004185CA
__amsg_exit.LIBCMT ref: 004185D8
__lock.LIBCMT ref: 004185E8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185FC

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: cdd0eec35e4bf80da2317afb9b55000317a90f0185e5a3c9ee5e330d7cc08b67
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: A4F09632A49710AAD721BBBA9C027CA77B1AF00739F10411FF505A62D2CF6C69C1CA5D

Function 0040FAE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0040FB11
strtok_s.MSVCRT ref: 0040FB28

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 52d09828bd6328d95c269d46c52906f376363bf45c2a71b165d5bab26f2389d9
Instruction ID: 7825bcbe27da9618b603611e1cfecd621835b499ad6dca7fa43ef563d7fd58f0
Opcode Fuzzy Hash: 52d09828bd6328d95c269d46c52906f376363bf45c2a71b165d5bab26f2389d9
Instruction Fuzzy Hash: 0F514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B76C0D778E985CB59

Function 00406FA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4

task.LIBCPMTD ref: 004070CB

Strings

`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E
h0A, xrefs: 00406FA6, 00406FA9

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: memsettask
String ID: : $`v@$h0A
API String ID: 1616412766-3559972273
Opcode ID: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Function 00414960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %d MB$@
API String ID: 3732870572-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Function 02261447 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0226147F
__aulldiv.LIBCMT ref: 0226148D
ExitProcess.KERNEL32 ref: 022614BB

Strings

@, xrefs: 0226145A

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitProcess
String ID: @
API String ID: 1471141222-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: ea0a6e1757c4b1df45eb813508b786e01a5d8f9a6a3870c153cbf5caba005949
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: E40162B1D54308FAEB10DFD0CC49BADB7B8AB44705F248048E7087B6C4D7B4A5918F64

Function 00414AE0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 179COMMON

Download Yara Rule

Strings

?, xrefs: 00414B17
- , xrefs: 00414D40
%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID:
String ID: - $%s\%s$?
API String ID: 0-3278919252
Opcode ID: 061d66f760d3494af1987b411ca60ede0f30b30ca504be6e27f42dcbcd4a3eb7
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: 061d66f760d3494af1987b411ca60ede0f30b30ca504be6e27f42dcbcd4a3eb7
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Function 004121F0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 137stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?), ref: 00412359
lstrlen.KERNEL32(?), ref: 0041236A

Strings

%s\*, xrefs: 00412217
%s\%s, xrefs: 00412295

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s\%s$%s\*
API String ID: 1659193697-2848263008
Opcode ID: 333eb63e704fa0ab8c5fb78ea37c725d63d8f40c9f6006c56dd0fd91307c0c46
Instruction ID: 68eafe57ffc654504e5fb8166b756e3a47007b1446461b295be9b39175aa6662
Opcode Fuzzy Hash: 333eb63e704fa0ab8c5fb78ea37c725d63d8f40c9f6006c56dd0fd91307c0c46
Instruction Fuzzy Hash: 5551A6B5940618ABCB20EBB0DC89FEE737DAB98300F404689F61A96150DF749BC5CF94

Function 004097F0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,00898530,?,0041D8AC,?,00000000), ref: 00416E2B

Strings

@, xrefs: 00409847
v10, xrefs: 00409802

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: lstrlenmemcmpmemset
String ID: @$v10
API String ID: 2195167648-24753345
Opcode ID: 6d1a1abe6e6826a1ce0dbdd1ef6ea650f8487a8d622505b14063b63e06140071
Instruction ID: 87859f0eaa1cac66c0422607c8296a2f5b7cfd88fdb957a476e5adb471fb7cf1
Opcode Fuzzy Hash: 6d1a1abe6e6826a1ce0dbdd1ef6ea650f8487a8d622505b14063b63e06140071
Instruction Fuzzy Hash: 00414EB0A00208EBDB04DFA5DC55FDE7B75BF44304F108119F909AB295DB78AE85CB98

Function 02273847 Relevance: 6.1, APIs: 4, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 02273893
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022738D9
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022738E7
ExitProcess.KERNEL32 ref: 02273901

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcess
String ID:
API String ID: 56602140-0
Opcode ID: 3210208c9ff9191fbd103aa9c2d0b3e8e7c47af46a118988f5807df95a5cb685
Instruction ID: 60032979ed20b67f37f99fba701157aa0abd4c7707d30e00ddc4d8a978879a8b
Opcode Fuzzy Hash: 3210208c9ff9191fbd103aa9c2d0b3e8e7c47af46a118988f5807df95a5cb685
Instruction Fuzzy Hash: D621DCB5D14209ABCF14DFE4D9459EEB7BABF8C300F04856EE506E3254EB349604CB65

Function 00406CA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
task.LIBCPMTD ref: 00406F25

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: memsettaskvsprintf_s
String ID: Password
API String ID: 2675463923-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Function 00415260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Strings

#F@, xrefs: 0041526C, 004152E5, 004152F0, 00415304, 004152D3, 004152F3
#F@, xrefs: 004152B1, 004152E1, 004152E4

Memory Dump Source

Source File: 00000000.00000002.2193162937.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2193162937.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2193162937.0000000000636000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: SystemTime
String ID: #F@$#F@
API String ID: 2656138-661595268
Opcode ID: 3a859b8b0cbacdc11ebfb3e047a024e7a283962ea90257fbacdd3e9563b3f0f0
Instruction ID: 513f033f75459e748f43dcf9dcce4e772375218857ee2e068f26327ba23d5006
Opcode Fuzzy Hash: 3a859b8b0cbacdc11ebfb3e047a024e7a283962ea90257fbacdd3e9563b3f0f0
Instruction Fuzzy Hash: 8511D636D00108DFCB04EFA9D891AEE7B75EF98304F54C05EE41567251DF38AA85CBA9

Function 02274BC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 02274C16
__aulldiv.LIBCMT ref: 02274C24

Strings

@, xrefs: 02274BF1

Memory Dump Source

Source File: 00000000.00000002.2193587843.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2260000_LisectAVT_2403002A_20.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: 7c6dea03fda8f28d16e606c39bea8375ae62d7a7ee96e468a19049cfe28b860c
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: AC111BB0D54708ABEB10EBE4CC49FAEB7B9BB44704F104548F605AB284D7B4A9018FA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_20.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_LisectAVT_240300_c7b5203bb51c74a66cfecff0322c301d262e365b_1762b4af_22897c61-9cb0-4a6e-8669-723f8d33773a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
LisectAVT_2403002A_20.exe

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Function 004135E0 Relevance: 6.1, APIs: 4, Instructions: 67
timeCOMMON

Function 008A4346 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 004143C0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Function 00405610 Relevance: 23.0, APIs: 8, Strings: 7, Instructions: 493
stringCOMMON

Function 0226003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004136B0 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 004137B3 Relevance: 4.5, APIs: 3, Instructions: 30
sleepCOMMON

Function 004010D0 Relevance: 3.0, APIs: 2, Instructions: 21
memoryCOMMON

Function 02260E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41
memoryCOMMON

Function 00414400 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON