Edit tour

Windows Analysis Report
66dcab0bcba58_crypted.exe

Overview

General Information

Sample name:	66dcab0bcba58_crypted.exe
Analysis ID:	1507479
MD5:	751e3d161454b4c4aa4cf9ff902ebe1c
SHA1:	25ea26e9037576f135a8f950ba47afe70195b2e9
SHA256:	7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144
Tags:	exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Enables security privileges

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

66dcab0bcba58_crypted.exe (PID: 3760 cmdline: "C:\Users\user\Desktop\66dcab0bcba58_crypted.exe" MD5: 751E3D161454B4C4AA4CF9FF902EBE1C)

conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 3984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2123504917.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2115722247.0000000003965000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 3984	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x43aad:$s1: file:/// 0x43a09:$s2: {11111-22222-10009-11112} 0x43a3d:$s3: {11111-22222-50001-00000} 0x4096b:$s4: get_Module 0x3b155:$s5: Reverse 0x3be05:$s6: BlockCopy 0x3b0d4:$s7: ReadByte 0x43abf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x458ad:$s1: file:/// 0x45809:$s2: {11111-22222-10009-11112} 0x4583d:$s3: {11111-22222-50001-00000} 0x4276b:$s4: get_Module 0x3cf55:$s5: Reverse 0x3dc05:$s6: BlockCopy 0x3ced4:$s7: ReadByte 0x458bf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x458ad:$s1: file:/// 0x45809:$s2: {11111-22222-10009-11112} 0x4583d:$s3: {11111-22222-50001-00000} 0x4276b:$s4: get_Module 0x3cf55:$s5: Reverse 0x3dc05:$s6: BlockCopy 0x3ced4:$s7: ReadByte 0x458bf:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 4 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 66dcab0bcba58_crypted.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 66dcab0bcba58_crypted.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 66dcab0bcba58_crypted.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: RegAsm.exe, 00000006.00000002.2125559890.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000006.00000002.2125559890.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000006.00000002.2125559890.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000006.00000002.2125559890.000000000304C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: RegAsm.exe, 00000006.00000002.2125559890.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: RegAsm.exe, 00000006.00000002.2125559890.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Source: RegAsm.exe, 00000006.00000002.2125559890.00000000031F8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_f73681f1-b

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 66dcab0bcba58_crypted.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 504320

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02E17712	6_2_02E17712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02E17468	6_2_02E17468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02E1745A	6_2_02E1745A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Security

Jump to behavior

Source: 66dcab0bcba58_crypted.exe, 00000000.00000000.1391386352.00000000005E0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exeP vs 66dcab0bcba58_crypted.exe
Source: 66dcab0bcba58_crypted.exe, 00000000.00000002.2115148915.00000000009CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 66dcab0bcba58_crypted.exe
Source: 66dcab0bcba58_crypted.exe, 00000000.00000002.2115722247.0000000003965000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCopita.exe" vs 66dcab0bcba58_crypted.exe
Source: 66dcab0bcba58_crypted.exe	Binary or memory string: OriginalFilenameVQP.exeP vs 66dcab0bcba58_crypted.exe

Source: 66dcab0bcba58_crypted.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 66dcab0bcba58_crypted.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/2@0/0

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66dcab0bcba58_crypted.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03

Source: 66dcab0bcba58_crypted.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 66dcab0bcba58_crypted.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe "C:\Users\user\Desktop\66dcab0bcba58_crypted.exe"
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior

Source: 66dcab0bcba58_crypted.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 66dcab0bcba58_crypted.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 66dcab0bcba58_crypted.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02E1E390 push eax; ret		6_2_02E1E391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_02E1D040 push 18418B05h; ret		6_2_02E1D2A3

Source: 66dcab0bcba58_crypted.exe

Static PE information: section name: .text entropy: 7.997924750654594

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4F80000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3832	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Code function: 0_2_029624B1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_029624B1

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000	Jump to behavior
Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10EB008	Jump to behavior

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: RegAsm.exe, 00000006.00000002.2125559890.00000000031F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: RegAsm.exe, 00000006.00000002.2125559890.00000000031F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe	Queries volume information: C:\Users\user\Desktop\66dcab0bcba58_crypted.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 66dcab0bcba58_crypted.exe, 00000000.00000002.2115148915.0000000000A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: 66dcab0bcba58_crypted.exe, 00000000.00000002.2115148915.0000000000A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2123504917.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2115722247.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 3984, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2123504917.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2115722247.0000000003965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 3984, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.66dcab0bcba58_crypted.exe.3965570.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	11 Input Capture	111 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
66dcab0bcba58_crypted.exe	100%	Avira	HEUR/AGEN.1351932

Source	Detection	Scanner	Label
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://api.ip.s	0%	Avira URL Cloud	safe
https://api.ip.sb/ip	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/ip	RegAsm.exe, 00000006.00000002.2125559890.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.s	RegAsm.exe, 00000006.00000002.2125559890.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	RegAsm.exe, 00000006.00000002.2125559890.00000000030B2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1507479
Start date and time:	2024-09-08 14:55:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	66dcab0bcba58_crypted.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@5/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 66dcab0bcba58_crypted.exe

Process:	C:\Users\user\Desktop\66dcab0bcba58_crypted.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.993186332092758
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	66dcab0bcba58_crypted.exe
File size:	513'536 bytes
MD5:	751e3d161454b4c4aa4cf9ff902ebe1c
SHA1:	25ea26e9037576f135a8f950ba47afe70195b2e9
SHA256:	7734438b2296ded96633a8f71fdccc2f4fdcff14c933facac7b44007226d3144
SHA512:	3e474ea0b0511e8361d80fafc52f0f27f5c8659bc7a40dd31168ea79595c68ab0162295d0fea7b6af4746e4b48279644b93281c094d17c271afe4b4f44029435
SSDEEP:	12288:YgdDFJgZ6borc+sShC9ptpLW7XNiib+iXrNnkVr49/R/Qyj1KG6xL:PmZnL0ptc7XNiiaiXBkRc14
TLSH:	A0B423401ACA89FDF4A7D9B3CD3FD2108B267F44613C108BC69E589F90E9E5434A76A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x47e8ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66DCA411 [Sat Sep 7 19:05:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e858	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7e720	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c8b4	0x7ca00	e9ba6a9d797e4f488cf436801295c939	False	0.9967794007021064	data	7.997924750654594	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x610	0x800	691e3885d6b03f247d1ff3db7d7cf280	False	0.34716796875	data	3.415794247909268	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	428bc1e1bfabad22ef6f9fcbbcf213fe	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x800a0	0x37c	data			0.4551569506726457
RT_MANIFEST	0x80420	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	08:56:36
Start date:	08/09/2024
Path:	C:\Users\user\Desktop\66dcab0bcba58_crypted.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\66dcab0bcba58_crypted.exe"
Imagebase:	0x560000
File size:	513'536 bytes
MD5 hash:	751E3D161454B4C4AA4CF9FF902EBE1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2115722247.0000000003965000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:56:36
Start date:	08/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:57:49
Start date:	08/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xe30000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2123504917.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:57:49
Start date:	08/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	48.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30.4%
Total number of Nodes:	23
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 029624B1 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02962423,02962413), ref: 02962620
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02962633
Wow64GetThreadContext.KERNEL32(000002F8,00000000), ref: 02962651
ReadProcessMemory.KERNELBASE(000002F4,?,02962467,00000004,00000000), ref: 02962675
VirtualAllocEx.KERNELBASE(000002F4,?,?,00003000,00000040), ref: 029626A0
WriteProcessMemory.KERNELBASE(000002F4,00000000,?,?,00000000,?), ref: 029626F8
WriteProcessMemory.KERNELBASE(000002F4,00400000,?,?,00000000,?,00000028), ref: 02962743
WriteProcessMemory.KERNELBASE(000002F4,?,?,00000004,00000000), ref: 02962781
Wow64SetThreadContext.KERNEL32(000002F8,00BE0000), ref: 029627BD
ResumeThread.KERNELBASE(000002F8), ref: 029627CC

Strings

CreateProcessA, xrefs: 02962565
WriteProcessMemory, xrefs: 029625C4
TerminateProcess, xrefs: 029626AF
Load, xrefs: 029624EF
VirtualAllocEx, xrefs: 029625B1
VirtualAlloc, xrefs: 02962578
GetThreadContext, xrefs: 0296258B
ResumeThread, xrefs: 029625ED
aryA, xrefs: 029624F7
GetP, xrefs: 02962533
ReadProcessMemory, xrefs: 0296259E
ress, xrefs: 0296253B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 0296261F
SetThreadContext, xrefs: 029625D7

Memory Dump Source

Source File: 00000000.00000002.2115685023.0000000002962000.00000040.00000800.00020000.00000000.sdmp, Offset: 02962000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2962000_66dcab0bcba58_crypted.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 6adb1b7a9bf685b6e800a49956092fe44902478b9254ca4004347032738e7b40
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: 14B1D67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 0296280E Relevance: 3.0, APIs: 2, Instructions: 14
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(000002F8,00BE0000), ref: 029627BD
ResumeThread.KERNELBASE(000002F8), ref: 029627CC

Memory Dump Source

Source File: 00000000.00000002.2115685023.0000000002962000.00000040.00000800.00020000.00000000.sdmp, Offset: 02962000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2962000_66dcab0bcba58_crypted.jbxd

Similarity

API ID: Thread$ContextResumeWow64
String ID:
API String ID: 1826235168-0
Opcode ID: 2a031f14ae9a89ed3386bac3b4d03e4953c3f85682a8834f0a4965134a61e3a9
Instruction ID: 25313f1756dc25f659fb2fe162e36a9200c0a76eba31830aace5e952311ffcda
Opcode Fuzzy Hash: 2a031f14ae9a89ed3386bac3b4d03e4953c3f85682a8834f0a4965134a61e3a9
Instruction Fuzzy Hash: 09D0C271648289ABCF70DF99DCD0FEE73E8BF4D320F401451AA1D8B615D6316B009B20

Function 00F50B28 Relevance: 1.8, APIs: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03963594,?,?,?), ref: 00F50E1C

Memory Dump Source

Source File: 00000000.00000002.2115561646.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_66dcab0bcba58_crypted.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dda720ce6088de49ae3d4eeaa7eb9fc642e137f6d257e681e807bde34b7ddd2e
Instruction ID: 42a5331752c2e6cdee4324b3cd4f36016f6b02e6a477a9a870bff1bda616011f
Opcode Fuzzy Hash: dda720ce6088de49ae3d4eeaa7eb9fc642e137f6d257e681e807bde34b7ddd2e
Instruction Fuzzy Hash: 09A1CE309042658FCB11DFA8C880AADFFF1FF49314F598669E959AB352C734AC45CBA4

Function 00F504B0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03963594,?,?,?), ref: 00F50E1C

Memory Dump Source

Source File: 00000000.00000002.2115561646.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_66dcab0bcba58_crypted.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 43258aa4d60ce5adf56f001f4291d9e1138b7e765b8b475fa5b602433a152bd1
Instruction ID: 603ef38ef65bfc3dd6733cc4f7991c6fd68ce7bc64f70da0a1975e1dc060fe6a
Opcode Fuzzy Hash: 43258aa4d60ce5adf56f001f4291d9e1138b7e765b8b475fa5b602433a152bd1
Instruction Fuzzy Hash: 3A21EFB590025DAFCB10DF9AD885BDEFFB4FB48320F10812AE918A7240C775A954CFA1

Analysis Process: RegAsm.exePID: 3984, Parent PID: 3760COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	101
Total number of Limit Nodes:	4

Executed Functions

Function 02E17712 Relevance: .2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c89beadc89a77d184e5d8cbac5c053b48b2416aaf17712179cd85f317e17acc
Instruction ID: 2214037aa0922aee8754e56e24d3961718ccea3d858cf396cb61ea16df3ed85b
Opcode Fuzzy Hash: 3c89beadc89a77d184e5d8cbac5c053b48b2416aaf17712179cd85f317e17acc
Instruction Fuzzy Hash: F5B17675E016198FDB58DF6AC944ADEBBF2BF89300F14D1AAD809A7364DB305A81CF50

Function 02E1C928 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ec132d5f54e87174de7eb674f39fdd557f2def419b6f64582b56cc927047ec59
Instruction ID: f7d3b1f38e73ec3bb3cf6a680aecd678876984408772b7a7661579af8e8e9655
Opcode Fuzzy Hash: ec132d5f54e87174de7eb674f39fdd557f2def419b6f64582b56cc927047ec59
Instruction Fuzzy Hash: 65715770A40B058FDB24DF6AD05575ABBF1FF88704F10992ED48AD7A50DB34E845CB92

Function 02E1456C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E15A49

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ca1c86dd1b36883ffdc709d2cdcbdee131f13b62523fe9a36c5a4b83ec2f8b2b
Instruction ID: 66d6f173bcc81067292495abc217cf0a2bfd9f4bb6ddd346b253c5cb637da579
Opcode Fuzzy Hash: ca1c86dd1b36883ffdc709d2cdcbdee131f13b62523fe9a36c5a4b83ec2f8b2b
Instruction Fuzzy Hash: 8F41F1B0C4071DCFDB24DFA9C884B9EBBB5BF88704F60816AD408AB250DB756949CF90

Function 02E1598C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E15A49

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 292a5d8f8ae461fba126a403ea443a5dcb1b9c367bba7843b55175eec26052d3
Instruction ID: 3a7f23409c5489b71d24994ff1a7094f3548f162bc35b704219cda210a3a6490
Opcode Fuzzy Hash: 292a5d8f8ae461fba126a403ea443a5dcb1b9c367bba7843b55175eec26052d3
Instruction Fuzzy Hash: 8F41E071D40719CFDB24DFA9C884BDEBBB5BF88704F60816AD408AB250DB75694ACF50

Function 02E1E750 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E1EDCE,?,?,?,?,?), ref: 02E1EE8F

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a966ead6cd73be1428a57a2cfd9595fe0d9bfa0d52471d3ebf6b0b8ae0b383ec
Instruction ID: 6a639868eb29203e18bcc90f4edeebc1e9324880c579e5e8e464b59833731c58
Opcode Fuzzy Hash: a966ead6cd73be1428a57a2cfd9595fe0d9bfa0d52471d3ebf6b0b8ae0b383ec
Instruction Fuzzy Hash: A321E6B59003499FDB10CF9AD984AEEFFF4EB48710F14842AE914A3310D778A954CFA5

Function 02E1EE00 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E1EDCE,?,?,?,?,?), ref: 02E1EE8F

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3845582ed8c745d0000d45911abd99c39b11eba85007a6e4ed17e1d46acd3c96
Instruction ID: 180833365335c3b9bc06cf3627dc677d6611bb68493c6c2a75fb2e5a6866fade
Opcode Fuzzy Hash: 3845582ed8c745d0000d45911abd99c39b11eba85007a6e4ed17e1d46acd3c96
Instruction Fuzzy Hash: 7121E6B5D01249AFDB10CF9AD984ADEFFF4EB48320F14841AE914A3310D378A944CF65

Function 02E1C328 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E1CBF9,00000800,00000000,00000000), ref: 02E1CE0A

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 16382ee81aaae04b0d8d5ffd567a17538ac27dbef395cc690e18bb5bf87ab3e0
Instruction ID: 1301c30eb08e057175f0fb854c97308d11265abaccb3a1a0aa5adfa9b08a4d14
Opcode Fuzzy Hash: 16382ee81aaae04b0d8d5ffd567a17538ac27dbef395cc690e18bb5bf87ab3e0
Instruction Fuzzy Hash: 5C1114B69003499FDB10CF9AC844BEEFBF4EB88714F10942EE519A7200C379A545CFA5

Function 02E1CD99 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E1CBF9,00000800,00000000,00000000), ref: 02E1CE0A

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e7eae7766a6d73ccf41673672ae71cff55646dcf10ec6e7f24844a0d9a3923ea
Instruction ID: abbfc842c7ad25cbb99bfc2003dbeafeb1f7c605e8990e6a1dfeb90f93049c61
Opcode Fuzzy Hash: e7eae7766a6d73ccf41673672ae71cff55646dcf10ec6e7f24844a0d9a3923ea
Instruction Fuzzy Hash: 4A11D0B69003499FDB10CF9AC844B9EFBF5EB88624F14842AE519A7200C779A545CFA5

Function 02E19E7C Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02E1C944), ref: 02E1CB7E

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4731c00805a1f8cf572ee77d1d944ad7506aa1664a261856cf0cc102c81472ef
Instruction ID: a3f0a25a8c35141b6daaa5912748a6bb4c4cd1cf36eead57e89ca3e3a75cbc36
Opcode Fuzzy Hash: 4731c00805a1f8cf572ee77d1d944ad7506aa1664a261856cf0cc102c81472ef
Instruction Fuzzy Hash: 931143B5C007498FCB10CF9AD844BDEFBF4EB88624F20D42AD419A7200C379A545CFA2

Function 0141D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2124184451.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_141d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5316bb0d60ee68bd6b91da36528c5980ab2d787272980887908cf1b2e325f1
Instruction ID: 135e41a1dffa232a2d759f108f951cee3642fad32fbd6a7863e5d290b591b180
Opcode Fuzzy Hash: ab5316bb0d60ee68bd6b91da36528c5980ab2d787272980887908cf1b2e325f1
Instruction Fuzzy Hash: 1B2106B1904304DFDB05DF54D9C8B17BF65FB84328F24856AD9090B36AC336D456CBA2

Function 0142D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2124225485.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216567aee30807d00cf84aac69e593318415fc568fe34b5175f3ea0232a402f2
Instruction ID: 92dddcb38d32e47da19f56987e33a72bb4835b8bd49929c7cc366a1771e1b565
Opcode Fuzzy Hash: 216567aee30807d00cf84aac69e593318415fc568fe34b5175f3ea0232a402f2
Instruction Fuzzy Hash: 68212271A04300EFDB05DF94D9C4B26BBA1FB85324F60C6AED8094B362C736D486CA71

Function 0142D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2124225485.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f17518a3fefe9d7643a2e33f7eb47896b8f5897d76f8fd5642c4d7e28d9b79
Instruction ID: 9a9df7ea1df7686586ff781a0037526ad6da8d58d10c5a2a7a0f603bae8bfb64
Opcode Fuzzy Hash: 23f17518a3fefe9d7643a2e33f7eb47896b8f5897d76f8fd5642c4d7e28d9b79
Instruction Fuzzy Hash: 982142B1A04340DFDB14DF54D884B16BBA1FB84318F60C56ED80A4B366C33AC487CA62

Function 0142D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2124225485.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f13f4a8be16a53987c011dc3726e46dda63cafca8a45274dd314e9dedd4747a
Instruction ID: 93ef987288a8cb000761eb4550d9b8b0e0c733c0c84f49733b1bc084dc2afa65
Opcode Fuzzy Hash: 7f13f4a8be16a53987c011dc3726e46dda63cafca8a45274dd314e9dedd4747a
Instruction Fuzzy Hash: 212180755093808FCB12CF24D990716BF71EB46218F28C5DBD8498B667C33A984ACB62

Function 0141D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2124184451.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_141d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22cb2ac7e8ca2eec31ed2fac24db7ed4a2581669a60e4f58f51b4d2525f63fe
Instruction ID: 863bbec6dc660901cd7e29cd0dd6a794330b3ef6a51a1c92bc31e737f1e93a31
Opcode Fuzzy Hash: a22cb2ac7e8ca2eec31ed2fac24db7ed4a2581669a60e4f58f51b4d2525f63fe
Instruction Fuzzy Hash: B411B4B6904240CFCB16CF54D5C4B16BF71FB84324F2485AAD9094B76BC33AD456CBA1

Function 0142D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2124225485.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
Instruction ID: 978b7d1d16d43e630214f61621f1719ee49fd84a044a7fed922d3b9612161eba
Opcode Fuzzy Hash: e5598050a76b1bbb03a66d3720a50d8acb638a64c40f8b375dc4a1e083d93ad6
Instruction Fuzzy Hash: 3011BB75904280DFDB02CF54C5C0B16BBA1FB85224F28C6AED8494B766C33AD48ACB61

Non-executed Functions

Function 02E1745A Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83db5ef1e76b7d04fe7c546a6e8e77236baae991619a7375432b702e2b268c22
Instruction ID: 5a0b87b05d7c6fd12e23dff8b3d4b9346c97af7f990afbb8dedb796c6230e43b
Opcode Fuzzy Hash: 83db5ef1e76b7d04fe7c546a6e8e77236baae991619a7375432b702e2b268c22
Instruction Fuzzy Hash: 1D815BB9E052498FD718EF6AE8506A9BFF2FFC8600F54C16AC4049B379EB705846CB51

Function 02E17468 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2125353454.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2e10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449b25d93e7bc63977ad62914bd296a3a037b97c340482a5149778fcb5a791a8
Instruction ID: ea95776d3c209d6744adfa60a19ec3b155b0ca0b4cf32b5f31f1d0b58b8c974f
Opcode Fuzzy Hash: 449b25d93e7bc63977ad62914bd296a3a037b97c340482a5149778fcb5a791a8
Instruction Fuzzy Hash: 3261EBB4A016098FD71CEF6AE8506AABBF3FFC8600F54C16AD4049B37CEB7058458B51

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 66dcab0bcba58_crypted.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66dcab0bcba58_crypted.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
66dcab0bcba58_crypted.exe

Function 029624B1 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 0296280E Relevance: 3.0, APIs: 2, Instructions: 14
threadCOMMON

Function 00F50B28 Relevance: 1.8, APIs: 1, Instructions: 251
COMMON

Function 00F504B0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 02E17712 Relevance: .2, Instructions: 238
COMMON

Function 02E1C928 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 02E1456C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02E1598C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02E1E750 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02E1EE00 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 02E1C328 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 02E1CD99 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Function 02E19E7C Relevance: 1.6, APIs: 1, Instructions: 50
COMMON