Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1504333
MD5:	f10161c3acde4b7dadcd1eeddcf937f1
SHA1:	ebf47c2e0916fbc430ddc8a90cdd1fe98112f979
SHA256:	445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230
Tags:	exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Enables security privileges

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 368 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F10161C3ACDE4B7DADCD1EEDDCF937F1)

conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3708 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6880 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2159148981.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2153470757.0000000004245000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6880	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.4245570.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.file.exe.4245570.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.file.exe.4245570.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x458ad:$s1: file:/// 0x45809:$s2: {11111-22222-10009-11112} 0x4583d:$s3: {11111-22222-50001-00000} 0x4276b:$s4: get_Module 0x3cf55:$s5: Reverse 0x3dc05:$s6: BlockCopy 0x3ced4:$s7: ReadByte 0x458bf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.file.exe.4245570.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.file.exe.4245570.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.file.exe.4245570.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x43aad:$s1: file:/// 0x43a09:$s2: {11111-22222-10009-11112} 0x43a3d:$s3: {11111-22222-50001-00000} 0x4096b:$s4: get_Module 0x3b155:$s5: Reverse 0x3be05:$s6: BlockCopy 0x3b0d4:$s7: ReadByte 0x43abf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x458ad:$s1: file:/// 0x45809:$s2: {11111-22222-10009-11112} 0x4583d:$s3: {11111-22222-50001-00000} 0x4276b:$s4: get_Module 0x3cf55:$s5: Reverse 0x3dc05:$s6: BlockCopy 0x3ced4:$s7: ReadByte 0x458bf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RegAsm.exe, 00000004.00000002.2168998227.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000004.00000002.2168998227.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000004.00000002.2168998227.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000004.00000002.2168998227.00000000031DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003175000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003388000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_2d6d67b3-8

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.4245570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.4245570.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 504320

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_014C745A		4_2_014C745A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_014C7468		4_2_014C7468

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Security

Jump to behavior

Source: file.exe, 00000000.00000002.2151319090.00000000013DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2153470757.0000000004245000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCopita.exe" vs file.exe
Source: file.exe, 00000000.00000000.2147605021.0000000000EC0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesecinitj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesecinitj% vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.file.exe.4245570.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.4245570.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.file.exe.4245570.0.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.4245570.0.raw.unpack, TripleDes.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.4245570.0.raw.unpack, A2H1lUZ15GsIooGy4G.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.file.exe.4245570.0.raw.unpack, A2H1lUZ15GsIooGy4G.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.file.exe.4245570.0.raw.unpack, A2H1lUZ15GsIooGy4G.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_014CE390 push eax; ret

4_2_014CE391

Source: file.exe

Static PE information: section name: .text entropy: 7.998016375889197

Source: 0.2.file.exe.4245570.0.raw.unpack, Form1.cs	High entropy of concatenated method names: '_003CReadLine_003Eb__2_0', 'u6YPlGEI8QVmr8I8RpM', 'Wvju4xEDuYOca4808Qu', 'T7d5G9E2aug3mHaOPxY', 'Form1_Load', 'ReadLine', 'Dispose', 'InitializeComponent', 'YtIaI8j3rSiRyGAl2JW', 'N5mOPLjYAuiZjHAvqIA'
Source: 0.2.file.exe.4245570.0.raw.unpack, FieldRoot20.cs	High entropy of concatenated method names: 'Field1', 'Field5', 'Field2', 'Field3', 'Field4', 'Key4Database', 'Key3Database', 'aGErA5sQtlXYtkc27h2', 'cIYEf8sLrL3CSuxF0Lm', 'oJJkSAsqX9jsWvIh64r'
Source: 0.2.file.exe.4245570.0.raw.unpack, SystemInfoHelper.cs	High entropy of concatenated method names: '_003CCloseBrowser_003Eb__1', 'rpm1MhNS33bBfOCj94m', 'zygwd6NQQdNu9pEPE3K', 'ShowMessage', 'CloseBrowser', 'Add', 'GetProcessors', 'GetGraphicCards', 'GetBrowsers', 'GetSerialNumber'
Source: 0.2.file.exe.4245570.0.raw.unpack, IPv4Helper.cs	High entropy of concatenated method names: '_003CGetDefaultIPv4Address_003Eb__1_0', '_003CGetDefaultIPv4Address_003Eb__1_1', 'sgfAjAEx0k9JoJfOBfT', 'oyrplTEnPeopkIp2NiN', 'C5MLWAEiqwHRZWOnJ4O', 'rnZAVrEtS20OgKUWM6v', 'Vhrg5vEzFa2NnOewMim', 'gYSU1JN9DcPZRYRkGeG', 'dTpFQlN56548JKyxPdP', 'IsLocalIp'
Source: 0.2.file.exe.4245570.0.raw.unpack, FieldRoot19.cs	High entropy of concatenated method names: 'Field1', 'Field2', 'Field3', 'QjCcD1Zn4tcfsZA9sIa', 'OhbwbhZi0NFOPuNkb38', 'a1EK4mZt4GAltSMBmyJ', 'BIl3VvZzcrbGuVWGMlc', 'Eklam2s9hBVdbjZgWBe', 'D84VyLZJsBycBUGd6e9', 'w0w9LXZxRRyNDew5Euq'
Source: 0.2.file.exe.4245570.0.raw.unpack, CryptoHelper.cs	High entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'cryptUnprotectData', 'GetMd5Hash', 'GetHexString', 'hLQIITji4QpCkh9wjkg', 'wdjLWYjtOQnfZ401LjT', 'EtO0u7jx2SiMcqvvLE4', 'p6thTQjn3OEOCvQTBp0', 'GEAFaojzqOQRdZvRHAf'
Source: 0.2.file.exe.4245570.0.raw.unpack, BerkeleyDB.cs	High entropy of concatenated method names: 'Extract', 'J1WSUBjDJSFisHixHI4', 'n0c3pAj2Rif647RIqXE', 'Sbl46hjKU2auxmj19VJ', 'VcI3PRjfLlC21DCR0ND', 'N9WNDCjgExGI7YSuU2Y', 'Fvt0YIjIqtoE0sLpZBG', 'NQ3M7jjPh1Z8gNyFIOT'
Source: 0.2.file.exe.4245570.0.raw.unpack, TripleDes.cs	High entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'MmcFqZRL0qST7eLXOlf', 'eSgwX8Rl91afUQv4O9G', 'ge8AaBR8JGoTTKek3MA', 'qbE6jpRaW5pXB5Uqhrd', 'gul6CnRVV47QPE300pE', 'AEaPMTRpnoUEGMV5my8'
Source: 0.2.file.exe.4245570.0.raw.unpack, A2H1lUZ15GsIooGy4G.cs	High entropy of concatenated method names: 'NA10JdHu1v0HlJWFF9p', 'TR4sHkH1BFUKOVlIA2P', 'LtQPyoxJn7', 'P8Gh1PHTowh3fy8qlLk', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk', 'wmTPVkxu9Y', 'fZOeODHb8Jam9ngiXRS'

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 14C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5110000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2056	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6432	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_03242139 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_03242139

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11CD008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003388000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: RegAsm.exe, 00000004.00000002.2168998227.0000000003388000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000002.2151319090.000000000141D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: file.exe, 00000000.00000002.2151319090.000000000141D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.file.exe.4245570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4245570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2159148981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2153470757.0000000004245000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6880, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.file.exe.4245570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4245570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.file.exe.4245570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4245570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2159148981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2153470757.0000000004245000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6880, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.file.exe.4245570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4245570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://api.ip.sb/ip	0%	URL Reputation	safe
https://api.ip.s	0%	URL Reputation	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	RegAsm.exe, 00000004.00000002.2168998227.0000000003175000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	RegAsm.exe, 00000004.00000002.2168998227.0000000003175000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	RegAsm.exe, 00000004.00000002.2168998227.0000000003242000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504333
Start date and time:	2024-09-04 19:27:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 23 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.993353372834414
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	file.exe
File size:	513'536 bytes
MD5:	f10161c3acde4b7dadcd1eeddcf937f1
SHA1:	ebf47c2e0916fbc430ddc8a90cdd1fe98112f979
SHA256:	445a933766bf381ebe8530e0795e22ab2bccace28291388aba99808e101e8230
SHA512:	5024f57f0bff356120598e7faa472c956d843d36a6d83d953c9a7345aee36a14d216f1bde61524a62a0dba4cb4fae4a67dcefaa0b2e8fa5526dfc9a218e985d9
SSDEEP:	12288:1/WRdaNJO5iDHXpuTa86H0SWJfVMPJOqGYou7BBqCi7W1P:1/WRdH52q6HUBOkaDi7W1P
TLSH:	DDB423468A206224DF2FEEB815BE00EB5775F01607E76BF117BD560E7A97E440082ED3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V.f................................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x47e8de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D8569E [Wed Sep 4 12:46:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e890	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x602	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7e758	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c8e4	0x7ca00	1bc9cd94710c335ab68719efa950e198	False	0.9968910638164493	data	7.998016375889197	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x602	0x800	44bf719e1ae4c4c948b65e2d708ee3ed	False	0.345703125	data	3.467063412160503	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	f1bc35b35bfe6e37da484eb87b9be317	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x800a0	0x378	data	English	United States	0.4560810810810811
RT_MANIFEST	0x80418	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	13:27:58
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe40000
File size:	513'536 bytes
MD5 hash:	F10161C3ACDE4B7DADCD1EEDDCF937F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2153470757.0000000004245000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:27:58
Start date:	04/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:27:59
Start date:	04/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1e0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:27:59
Start date:	04/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe00000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.2159148981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:27:59
Start date:	04/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	44.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25%
Total number of Nodes:	32
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03242139 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,032420AB,0324209B), ref: 032422A8
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 032422BB
Wow64GetThreadContext.KERNEL32(00000304,00000000), ref: 032422D9
ReadProcessMemory.KERNELBASE(00000300,?,032420EF,00000004,00000000), ref: 032422FD
VirtualAllocEx.KERNELBASE(00000300,?,?,00003000,00000040), ref: 03242328
TerminateProcess.KERNELBASE(00000300,00000000), ref: 03242347
WriteProcessMemory.KERNELBASE(00000300,00000000,?,?,00000000,?), ref: 03242380
WriteProcessMemory.KERNELBASE(00000300,00400000,?,?,00000000,?,00000028), ref: 032423CB
WriteProcessMemory.KERNELBASE(00000300,?,?,00000004,00000000), ref: 03242409
Wow64SetThreadContext.KERNEL32(00000304,03120000), ref: 03242445
ResumeThread.KERNELBASE(00000304), ref: 03242454

Strings

VirtualAlloc, xrefs: 03242200
WriteProcessMemory, xrefs: 0324224C
ress, xrefs: 032421C3
GetThreadContext, xrefs: 03242213
CreateProcessA, xrefs: 032421ED
VirtualAllocEx, xrefs: 03242239
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 032422A7
TerminateProcess, xrefs: 03242337
ResumeThread, xrefs: 03242275
SetThreadContext, xrefs: 0324225F
GetP, xrefs: 032421BB
Load, xrefs: 03242177
ReadProcessMemory, xrefs: 03242226
aryA, xrefs: 0324217F

Memory Dump Source

Source File: 00000000.00000002.2152327095.0000000003241000.00000040.00000800.00020000.00000000.sdmp, Offset: 03241000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3241000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: f129ef2bdc32d69c16653dd048be6f2eec7b1631b94bbfcc711d841428497bad
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 98B1E67660024AAFDB60CF69CC80BDA77A9FF88714F158564FA0CAB341D774FA418B94

Function 015F0AD7 Relevance: 1.8, APIs: 1, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,04243590,?,?,?), ref: 015F0DDC

Memory Dump Source

Source File: 00000000.00000002.2151864067.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7e3b1cfe3d200d61d7dd4e3ec25ceae667e190e24a158ef72bd2782c4f3b303b
Instruction ID: 286c1ce25e7175ee481e3426265f192cccc1fe906c833d63c840fb00c388b492
Opcode Fuzzy Hash: 7e3b1cfe3d200d61d7dd4e3ec25ceae667e190e24a158ef72bd2782c4f3b303b
Instruction Fuzzy Hash: 2FB17071A0025A8FCB15CF99C4806ADFBF2FF49314F68855AE559EB292C334ED41CBA0

Function 015F04B0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,04243590,?,?,?), ref: 015F0DDC

Memory Dump Source

Source File: 00000000.00000002.2151864067.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 74d4f7483c984db868edd2c52973d945435d26f721964049aea6383b8f3718d6
Instruction ID: 1f57a6aacd2f7afda675b867a0b6c2b8bb4989151da63485b530b164e9f1594d
Opcode Fuzzy Hash: 74d4f7483c984db868edd2c52973d945435d26f721964049aea6383b8f3718d6
Instruction Fuzzy Hash: 7C21E2B590125DEFCB10DF9AD884ADEFFB5FB48310F108119EA18A7240C3B4A954CBA1

Function 015F0490 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 015F0AAC

Memory Dump Source

Source File: 00000000.00000002.2151864067.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_file.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 18125bdaecd4790f70af66bb03d12b4900999287a045814a4cbae90d1dbf77e4
Instruction ID: f422dbad07eb334781264ff343309d5c31a598419281b575e048acdcf9920e4b
Opcode Fuzzy Hash: 18125bdaecd4790f70af66bb03d12b4900999287a045814a4cbae90d1dbf77e4
Instruction Fuzzy Hash: 221162718003588FDB10DF9AC484BDEBFF0EF48324F28845AD6996B251C7B8A448CFA4

Function 015F0A49 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 015F0AAC

Memory Dump Source

Source File: 00000000.00000002.2151864067.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_file.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 026055ecdd71d0e1796860d7a9313e2fc22b82098cc6f31d7f71481f7d45923a
Instruction ID: 9155756ce052bab7f2fe57ca36f718fad4099525784590cfa4e714ab34d137b0
Opcode Fuzzy Hash: 026055ecdd71d0e1796860d7a9313e2fc22b82098cc6f31d7f71481f7d45923a
Instruction Fuzzy Hash: DC112EB58003098FDB20DF99C545BDEBFF0FB88320F20851AD519A7650C3B9A944CFA0

Function 015F04A4 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 015F0AAC

Memory Dump Source

Source File: 00000000.00000002.2151864067.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_file.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: b577d75ad2e0b87cfb7deed8e8fe0d54e9e5d86c736ba935036192fec92818cd
Instruction ID: 3a3241ecbb83ed84d287824066e215d540a26434e7cb47d34648391712099565
Opcode Fuzzy Hash: b577d75ad2e0b87cfb7deed8e8fe0d54e9e5d86c736ba935036192fec92818cd
Instruction Fuzzy Hash: 561130B48007498FDB20DF8AC544B9EBBF0FB48320F248419D659A7240C3B4A944CFA1

Analysis Process: RegAsm.exePID: 6880, Parent PID: 368COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	85
Total number of Limit Nodes:	6

Executed Functions

Function 014CEBB0 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014CEC3E
GetCurrentThread.KERNEL32 ref: 014CEC7B
GetCurrentProcess.KERNEL32 ref: 014CECB8
GetCurrentThreadId.KERNEL32 ref: 014CED11

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2701cdb78aa9b7c2ed13fba9b082d3a0630cfe16ea10c5426786d6ccb131a861
Instruction ID: 9a59f73d46c04b6d8ac9e3e7b00964959e525bcfeb86c3f9fb99a20745f13d6c
Opcode Fuzzy Hash: 2701cdb78aa9b7c2ed13fba9b082d3a0630cfe16ea10c5426786d6ccb131a861
Instruction Fuzzy Hash: AC5155B090174A8FEB48CFA9D648B9EBFF1EF48314F24845EE109A73A0DB745944CB65

Function 014CEBC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 014CEC3E
GetCurrentThread.KERNEL32 ref: 014CEC7B
GetCurrentProcess.KERNEL32 ref: 014CECB8
GetCurrentThreadId.KERNEL32 ref: 014CED11

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a315b2b9c0a833d1f70288985bcf4afb176472e9b0a279a446c430936e6db4f6
Instruction ID: ce253e327d86898221e64ae8ecdfee3ab209d47961432edf627fc74eaf3fb935
Opcode Fuzzy Hash: a315b2b9c0a833d1f70288985bcf4afb176472e9b0a279a446c430936e6db4f6
Instruction Fuzzy Hash: C85147B09013498FDB54CFAAD548B9EBFF1EF88714F20845EE109A73A0DB745944CB65

Function 014CC917 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014CCB7E

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 385698a2942b564cf481839ae7228c4c19dbbec25d37e614cc6edfe0529eb8ed
Instruction ID: 7bd6f0a18b7797f5b6af55261829ccc8c92f80c54d771d031de0dae35381f17f
Opcode Fuzzy Hash: 385698a2942b564cf481839ae7228c4c19dbbec25d37e614cc6edfe0529eb8ed
Instruction Fuzzy Hash: 81814274A00B058FD764DF6AD49479ABBF1FB88A10F00892ED48AD7B60DB34E845CB91

Function 014C598C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014C5A49

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f9221fb9de8867ede7bb39b9d40b7c93168e84291e09fccc178908b83a4461ec
Instruction ID: 6d7154e215f6648612c7c4a71747026dd4f37cb4699dd87baaafd7653deb186d
Opcode Fuzzy Hash: f9221fb9de8867ede7bb39b9d40b7c93168e84291e09fccc178908b83a4461ec
Instruction Fuzzy Hash: DE41E070D0071DCBDB24CFAAC984BCEBBB1BF88704F20806AD408AB251DB766946CF50

Function 014C456C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014C5A49

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b1eb48e210032061c86838755636e8a9669c300df302a28cf03edc98537cb0de
Instruction ID: caf6be7ba5ca91e7e80e75bc681c5c36b917c22feacc7f8814fb87bf09cf89a0
Opcode Fuzzy Hash: b1eb48e210032061c86838755636e8a9669c300df302a28cf03edc98537cb0de
Instruction Fuzzy Hash: 2341E2B4D0071DCBDB24CFAAC984BDEBBB5BF48704F20806AD508AB251DB756946CF90

Function 014CEE00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014CEE8F

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 95447703fcaabd8c0dd2617b6a819899914fb5920db29e6db4ed3dafab14ac37
Instruction ID: 8f5afb5827dbf9a2aebef5a5b791dcb36111c42a59c92aef8bddc3c963bdc38b
Opcode Fuzzy Hash: 95447703fcaabd8c0dd2617b6a819899914fb5920db29e6db4ed3dafab14ac37
Instruction Fuzzy Hash: 8621E4B69012499FDB10CFAAD984ADEFFF4EB48720F14841AE918B3310D374A954CF64

Function 014CC310 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014CCBF9,00000800,00000000,00000000), ref: 014CCE0A

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0603901a238a4d520fb483071937f69211a4e90bd6feebf4097aba38465ef460
Instruction ID: 87417c819947ea17fe8fff860198a7c026dacc3e614b09de9f1ba9b2e409b15c
Opcode Fuzzy Hash: 0603901a238a4d520fb483071937f69211a4e90bd6feebf4097aba38465ef460
Instruction Fuzzy Hash: 6A2139B68043498FDB10CF9AC884ADEBFF4AB49620F14846ED559A7210C3B4A545CFA5

Function 014CEE08 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014CEE8F

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bbbacdd9976c3b8c3a66186c79a25d3c5096390b0b7aafc1523d3f6fbac445e1
Instruction ID: d0451a956a8beb4e1b8eb9ea259784c13a594031adf67bb6a6d783ab82978a4e
Opcode Fuzzy Hash: bbbacdd9976c3b8c3a66186c79a25d3c5096390b0b7aafc1523d3f6fbac445e1
Instruction Fuzzy Hash: 4521C2B59002499FDB10CFAAD984ADEBFF4EB48720F14841AE918B3310D378A954CFA5

Function 014CC328 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014CCBF9,00000800,00000000,00000000), ref: 014CCE0A

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4c305b68ac142353990844de10abf92e76a3d41942c1074833c506d44a220195
Instruction ID: 6a05e2474386bdb38d32440193368822ab77f0b120c2504f0238c6744d03da03
Opcode Fuzzy Hash: 4c305b68ac142353990844de10abf92e76a3d41942c1074833c506d44a220195
Instruction Fuzzy Hash: 991103B68002499FDB10CF9AC884B9EFBF4EB88720F14842EE519A7210C374A545CFA5

Function 014CCD99 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014CCBF9,00000800,00000000,00000000), ref: 014CCE0A

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e7a1aaf59312427e84b5eadfe29f8b22af0e9227a10f3922c4d744af59147249
Instruction ID: fb2e3f0d65207e79892b0c5b85769b4241b511dfe9fb7118f3598a33fb3e26ae
Opcode Fuzzy Hash: e7a1aaf59312427e84b5eadfe29f8b22af0e9227a10f3922c4d744af59147249
Instruction Fuzzy Hash: 2E11FFB68002099FDB10CF9AC984A9EBBF4AB88620F14842EE519A7210C775A545CFA5

Function 014CCB18 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014CCB7E

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e6f25e4984e4c097a7c48245e153ed6875934bfda48c74acb17d607212348595
Instruction ID: 6e781f7cc457ea9e8d20f554b105947647819117822074c04f5b2adb675838cc
Opcode Fuzzy Hash: e6f25e4984e4c097a7c48245e153ed6875934bfda48c74acb17d607212348595
Instruction Fuzzy Hash: 4E110FB6C007498FDB10CF9AD444B9EFBF4EB88A24F14842AD518A7210D378A545CFA5

Function 0141D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160304931.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_141d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be5b7dcbbc1771807890f5d7140fd2c0c2ca1307277eebb296bc79599734e56
Instruction ID: bf0ef69e7f970c234d61162021030540326a43fbbc9547755ab4c4f662f42fdc
Opcode Fuzzy Hash: 3be5b7dcbbc1771807890f5d7140fd2c0c2ca1307277eebb296bc79599734e56
Instruction Fuzzy Hash: 152128B2904244DFDB05DF54D9C4B27BF65FB84318F24856ED9090B32AC336D456CBA1

Function 0142D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161314938.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ebfa618892debebec40309c5c60195754de2f76d14a8fda857c3c1ba27a509
Instruction ID: 648dd7fe9c7b2b9f71ef99f5c64466b025c54b9291be3a65d1ad8fd80ea3c428
Opcode Fuzzy Hash: 90ebfa618892debebec40309c5c60195754de2f76d14a8fda857c3c1ba27a509
Instruction Fuzzy Hash: 58214671904300EFDB05DF94D9C0B26BBA1FB85324F60C5AED9094B362C776D486CA71

Function 0142D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161314938.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49198f8245c17addcea939873c6111500fb73c3b4a15f90617b0319c85e5d4f
Instruction ID: 7a4620df1967ddcb5a21b5aea5d83f8c83430ff6ad599a6c6ae405772bf30ae9
Opcode Fuzzy Hash: e49198f8245c17addcea939873c6111500fb73c3b4a15f90617b0319c85e5d4f
Instruction Fuzzy Hash: 732142B1A04240EFCB14CF54D9C0B26BBA1EB84318F60C56ED90A4B372C77AC487CA61

Function 0142D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161314938.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f457b931c09cf8e5d8cd6eea1c670eff30a319908c8801d90461117a341ec326
Instruction ID: 6025c220d7145bf2ec9208730c8bca9d00fc0b72513015b336fd879e9616c4d5
Opcode Fuzzy Hash: f457b931c09cf8e5d8cd6eea1c670eff30a319908c8801d90461117a341ec326
Instruction Fuzzy Hash: D9218E755093808FCB12CF24D990716BF71EB46218F28C5EBD8498B667C33A984ACB62

Function 0141D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2160304931.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_141d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
Instruction ID: bfa275fa30cc6e4966e7c071b23945c65d32959000bcc823f4ebfd0764e6829f
Opcode Fuzzy Hash: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
Instruction Fuzzy Hash: BC11B1B6904280CFCB16CF54D9C4B16BF71FB84318F2486AAD9094B72AC33AD456CBA1

Function 0142D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2161314938.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adcda68119555c6f25b62d92a5950083e81dc615a2459920abefbb8922beed6
Instruction ID: c8e44e8b983b9c85ce06d56521b3e8808642d3b8ff6a381982b356b7dcc38f23
Opcode Fuzzy Hash: 3adcda68119555c6f25b62d92a5950083e81dc615a2459920abefbb8922beed6
Instruction Fuzzy Hash: 3411BE75904280DFDB02CF54C5C0B16BB61FB85224F24C6AAD8494B766C33AD44ACB61

Non-executed Functions

Function 014C745A Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2c70c9ad38e7da82f49810f6eabbff648f98e2c6d5552fd5fb6b4930829af8
Instruction ID: dbed7251a4b786429c5336fded6e49ecc0cc14be88de35bdd0719282f752fe44
Opcode Fuzzy Hash: ab2c70c9ad38e7da82f49810f6eabbff648f98e2c6d5552fd5fb6b4930829af8
Instruction Fuzzy Hash: DC813F70A01249CFE758DF6BE950699BFF2FBC4300F54C06AC414AB279EB785886CB59

Function 014C7468 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2167947489.00000000014C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14c0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7927acd8b12ef15b739ea9b06574fddd9691ac8094c9955d160c80fcce1c6c93
Instruction ID: 2e0f81d5f9ace882f781935bbf873a4e6d56401c0ade994cb9cd024fb6f45088
Opcode Fuzzy Hash: 7927acd8b12ef15b739ea9b06574fddd9691ac8094c9955d160c80fcce1c6c93
Instruction Fuzzy Hash: AA61FA70A01609CFE758DF6BE950A9EBFF2FBC4300F54C16AC414AB278EB7858858B54

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
file.exe

Function 03242139 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 015F0AD7 Relevance: 1.8, APIs: 1, Instructions: 262
COMMON

Function 015F04B0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 015F0490 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 015F0A49 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 015F04A4 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Function 014CEBB0 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Function 014CEBC0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 014CC917 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Function 014C598C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 014C456C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 014CEE00 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 014CC310 Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Function 014CEE08 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 014CC328 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 014CCD99 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 014CCB18 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON