Edit tour
Windows
Analysis Report
file.exe
Overview
General Information
| Sample name: | file.exe |
| Analysis ID: | 1542259 |
| MD5: | 17f5a1ae03a0ff4eb038527de02e8860 |
| SHA1: | 66e04a8d2fbe629115cad3f39bedc33256a8f35a |
| SHA256: | 6a8f94da45c0b3b791bbfb71b2e9a7cc6bd5dd777da0655ebc3137ad4070c72f |
| Tags: | exeuser-Bitsight |
| Infos: |   |
 | |
Detection
NetSupport RAT
| Score: | 80 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains functionalty to change the wallpaper
Delayed program exit found
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Classification
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| Click to see the 7 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_NetSupport | Yara detected NetSupport remote tool | Joe Security | ||
| JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
| Click to see the 6 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-25T18:15:26.602287+0200 | 2827745 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49730 | 185.215.113.67 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Code function: | 1_2_110AD570 | |
| Source: | Static PE information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00B9A273 | |
| Source: | Code function: | 0_2_00BAA537 | |
| Source: | Code function: | 1_2_1102D330 | |
| Source: | Code function: | 1_2_11065890 | |
| Source: | Code function: | 1_2_1106A0A0 | |
| Source: | Code function: | 1_2_111266E0 | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | ASN Name: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Code function: | 1_2_1101F6B0 | |
| Source: | Code function: | 1_2_1101F6B0 | |
| Source: | Code function: | 1_2_110321E0 | |
| Source: | Code function: | 1_2_110076F0 | |
| Source: | Code function: | 1_2_11113880 | |
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Spam, unwanted Advertisements and Ransom Demands | |
|---|
| Source: | Code function: | 1_2_111158B0 | |
| Source: | Process Stats: | ||
| Source: | Code function: | 0_2_00B97070 | |
| Source: | Code function: | 1_2_1115DB40 | |
| Source: | Code function: | 1_2_1102D330 | |
| Source: | Code function: | 0_2_00BA5984 | |
| Source: | Code function: | 0_2_00B98409 | |
| Source: | Code function: | 0_2_00BA30E6 | |
| Source: | Code function: | 0_2_00BBE8D4 | |
| Source: | Code function: | 0_2_00B9E045 | |
| Source: | Code function: | 0_2_00B9D1D2 | |
| Source: | Code function: | 0_2_00BAE94A | |
| Source: | Code function: | 0_2_00BAFAC8 | |
| Source: | Code function: | 0_2_00B9BA1A | |
| Source: | Code function: | 0_2_00B93203 | |
| Source: | Code function: | 0_2_00BAF25E | |
| Source: | Code function: | 0_2_00BA63F2 | |
| Source: | Code function: | 0_2_00B9DBE2 | |
| Source: | Code function: | 0_2_00BA2B3A | |
| Source: | Code function: | 0_2_00BB2B78 | |
| Source: | Code function: | 0_2_00BBA35E | |
| Source: | Code function: | 0_2_00B9EC97 | |
| Source: | Code function: | 0_2_00BA5DB9 | |
| Source: | Code function: | 0_2_00BA2DB5 | |
| Source: | Code function: | 0_2_00B9D5E4 | |
| Source: | Code function: | 0_2_00BB9EB0 | |
| Source: | Code function: | 0_2_00BAF693 | |
| Source: | Code function: | 0_2_00B95E96 | |
| Source: | Code function: | 0_2_00BAEE46 | |
| Source: | Code function: | 0_2_00BA4FB5 | |
| Source: | Code function: | 0_2_00B93FC5 | |
| Source: | Code function: | 0_2_00B9276C | |
| Source: | Code function: | 1_2_110733B0 | |
| Source: | Code function: | 1_2_11029590 | |
| Source: | Code function: | 1_2_11061C90 | |
| Source: | Code function: | 1_2_11033010 | |
| Source: | Code function: | 1_2_11163220 | |
| Source: | Code function: | 1_2_11167485 | |
| Source: | Code function: | 1_2_110454F0 | |
| Source: | Code function: | 1_2_1101B760 | |
| Source: | Code function: | 1_2_111258B0 | |
| Source: | Code function: | 1_2_1101BBA0 | |
| Source: | Code function: | 1_2_11087C60 | |
| Source: | Code function: | 1_2_11080480 | |
| Source: | Code function: | 1_2_1115E980 | |
| Source: | Code function: | 1_2_1101C9C0 | |
| Source: | Code function: | 1_2_110088AB | |
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 1_2_11059C50 | |
| Source: | Code function: | 1_2_1109D440 | |
| Source: | Code function: | 1_2_1109D4D0 | |
| Source: | Code function: | 1_2_11115B70 | |
| Source: | Code function: | 0_2_00BA8BD0 | |
| Source: | Code function: | 1_2_11127E10 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Command line argument: | 0_2_00BAC131 | |
| Source: | Command line argument: | 0_2_00BAC131 | |
| Source: | Command line argument: | 0_2_00BAC131 | |
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | File written: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | Static file information: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 1_2_11029590 | |
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00BAD8C9 | |
| Source: | Code function: | 0_2_00BACE0E | |
| Source: | Code function: | 1_2_1116F068 | |
| Source: | Code function: | 1_2_11169F5C | |
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | 1_2_11127E10 | |
| Source: | Code function: | 1_2_11139090 | |
| Source: | Code function: | 1_2_1115B1D0 | |
| Source: | Code function: | 1_2_11113290 | |
| Source: | Code function: | 1_2_110CB2B0 | |
| Source: | Code function: | 1_2_110CB2B0 | |
| Source: | Code function: | 1_2_110254A0 | |
| Source: | Code function: | 1_2_110258F0 | |
| Source: | Code function: | 1_2_11023BA0 | |
| Source: | Code function: | 1_2_11024280 | |
| Source: | Code function: | 1_2_11112670 | |
| Source: | Code function: | 1_2_111229D0 | |
| Source: | Code function: | 1_2_111229D0 | |
| Source: | Code function: | 1_2_110C0BB0 | |
| Source: | Code function: | 1_2_11143570 | |
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Code function: | 1_2_110B8200 | |
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Dropped PE file which has not been started: | Jump to dropped file | ||
| Source: | Evaded block: | graph_1-59618 | ||
| Source: | Evaded block: | graph_1-63474 | ||
| Source: | Evaded block: | graph_1-63785 | ||
| Source: | Evaded block: | graph_1-63743 | ||
| Source: | Evasive API call chain: | graph_1-63875 | ||
| Source: | Check user administrative privileges: | graph_1-63675 | ||
| Source: | API coverage: | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Last function: | ||
| Source: | Code function: | 0_2_00B9A273 | |
| Source: | Code function: | 0_2_00BAA537 | |
| Source: | Code function: | 1_2_1102D330 | |
| Source: | Code function: | 1_2_11065890 | |
| Source: | Code function: | 1_2_1106A0A0 | |
| Source: | Code function: | 1_2_111266E0 | |
| Source: | Code function: | 0_2_00BAC8D5 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | API call chain: | graph_0-22629 | ||
| Source: | API call chain: | graph_1-59680 | ||
| Source: | Code function: | 0_2_00BADA75 | |
| Source: | Code function: | 1_2_11147750 | |
| Source: | Code function: | 1_2_11029590 | |
| Source: | Code function: | 0_2_00BB4A5A | |
| Source: | Code function: | 0_2_00BB8AAA | |
| Source: | Code function: | 0_2_00BADA75 | |
| Source: | Code function: | 0_2_00BADBC3 | |
| Source: | Code function: | 0_2_00BB5B53 | |
| Source: | Code function: | 0_2_00BADD7C | |
| Source: | Code function: | 1_2_11093080 | |
| Source: | Code function: | 1_2_110310C0 | |
| Source: | Code function: | 1_2_11161D01 | |
| Source: | Code function: | 1_2_1116DD89 | |
| Source: | Code function: | 1_2_110F4560 | |
| Source: | Code function: | 1_2_1111FCA0 | |
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 1_2_1109E190 | |
| Source: | Code function: | 1_2_1109E910 | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | 0_2_00BAD8CB | |
| Source: | Code function: | 0_2_00BA932F | |
| Source: | Code function: | 1_2_11173A35 | |
| Source: | Code function: | 1_2_11173D69 | |
| Source: | Code function: | 1_2_11173CC6 | |
| Source: | Code function: | 1_2_1116B38E | |
| Source: | Code function: | 1_2_11173933 | |
| Source: | Code function: | 1_2_111739DA | |
| Source: | Code function: | 1_2_1117383E | |
| Source: | Code function: | 1_2_11173D2D | |
| Source: | Code function: | 1_2_11173C06 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 1_2_110F33F0 | |
| Source: | Code function: | 0_2_00BAC131 | |
| Source: | Code function: | 1_2_1103B160 | |
| Source: | Code function: | 0_2_00B9A8E0 | |
| Source: | Code function: | 1_2_110D8200 | |
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | 2 Valid Accounts | 1 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | 1 System Shutdown/Reboot |
| Credentials | Domains | Default Accounts | 4 Native API | 2 Valid Accounts | 2 Valid Accounts | 3 Obfuscated Files or Information | LSASS Memory | 1 Account Discovery | Remote Desktop Protocol | 1 Screen Capture | 22 Encrypted Channel | Exfiltration Over Bluetooth | 1 Defacement |
| Email Addresses | DNS Server | Domain Accounts | 2 Command and Scripting Interpreter | 1 Windows Service | 21 Access Token Manipulation | 2 Software Packing | Security Account Manager | 3 File and Directory Discovery | SMB/Windows Admin Shares | 1 Input Capture | 3 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | 2 Service Execution | Login Hook | 1 Windows Service | 1 DLL Side-Loading | NTDS | 44 System Information Discovery | Distributed Component Object Model | 3 Clipboard Data | 4 Application Layer Protocol | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | 13 Process Injection | 1 Masquerading | LSA Secrets | 141 Security Software Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 2 Valid Accounts | Cached Domain Credentials | 2 Virtualization/Sandbox Evasion | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
| DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 2 Virtualization/Sandbox Evasion | DCSync | 1 Process Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
| Network Trust Dependencies | Serverless | Drive-by Compromise | Container Orchestration Job | Scheduled Task/Job | Scheduled Task/Job | 21 Access Token Manipulation | Proc Filesystem | 11 Application Window Discovery | Cloud Services | Credential API Hooking | Application Layer Protocol | Exfiltration Over Alternative Protocol | Defacement |
| Network Topology | Malvertising | Exploit Public-Facing Application | Command and Scripting Interpreter | At | At | 13 Process Injection | /etc/passwd and /etc/shadow | 1 System Owner/User Discovery | Direct Cloud VM Connections | Data Staged | Web Protocols | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Internal Defacement |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 50% | ReversingLabs | Win32.Trojan.NetSupport |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 12% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 29% | ReversingLabs | Win32.Trojan.NetSupport | ||
| 0% | ReversingLabs | |||
| 3% | ReversingLabs | |||
| 13% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| geo.netsupportsoftware.com | 172.67.68.212 | true | false | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | unknown | ||
| true | unknown |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false | unknown | |||
| false |
| unknown | ||
| false | unknown | |||
| false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 185.215.113.67 | unknown | Portugal | 206894 | WHOLESALECONNECTIONSNL | true | |
| 172.67.68.212 | geo.netsupportsoftware.com | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1542259 |
| Start date and time: | 2024-10-25 18:14:28 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 8m 12s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Run with higher sleep bypass |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | file.exe |
| Detection: | MAL |
| Classification: | mal80.rans.evad.winEXE@3/12@1/2 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing disassembly code.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- VT rate limit hit for: file.exe
| Time | Type | Description |
|---|---|---|
| 12:15:57 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 185.215.113.67 | Get hash | malicious | Amadey Raccoon | Browse |
| |
| Get hash | malicious | Amadey Raccoon | Browse |
| ||
| Get hash | malicious | Amadey Raccoon | Browse |
| ||
| Get hash | malicious | Amadey Raccoon | Browse |
| ||
| Get hash | malicious | Amadey Raccoon | Browse |
| ||
| Get hash | malicious | Amadey Raccoon | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| Get hash | malicious | Amadey Raccoon Vidar | Browse |
| ||
| Get hash | malicious | Amadey | Browse |
| ||
| 172.67.68.212 | Get hash | malicious | NetSupport RAT | Browse |
| |
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT, LummaC Stealer, NetSupport Downloader | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| geo.netsupportsoftware.com | Get hash | malicious | NetSupport RAT | Browse |
| |
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
| ||
| Get hash | malicious | NetSupport RAT | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| WHOLESALECONNECTIONSNL | Get hash | malicious | Stealc | Browse |
| |
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Stealc | Browse |
| ||
| Get hash | malicious | Stealc, Vidar | Browse |
| ||
| CLOUDFLARENETUS | Get hash | malicious | Atlantida Stealer | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | GRQ Scam | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| C:\Users\Public\Pictures\HTCTL32.DLL | Get hash | malicious | NetSupport RAT | Browse | ||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT, NetSupport Downloader, Stealc, Vidar | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| C:\Users\Public\Pictures\PCICHEK.DLL | Get hash | malicious | NetSupport RAT | Browse | ||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT, NetSupport Downloader, Stealc, Vidar | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse | |||
| Get hash | malicious | NetSupport RAT | Browse |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 328056 |
| Entropy (8bit): | 6.754723001562745 |
| Encrypted: | false |
| SSDEEP: | 6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg |
| MD5: | 2D3B207C8A48148296156E5725426C7F |
| SHA1: | AD464EB7CF5C19C8A443AB5B590440B32DBC618F |
| SHA-256: | EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796 |
| SHA-512: | 55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C |
| Malicious: | false |
| Yara Hits: |
|
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | moderate, very likely benign file |
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 257 |
| Entropy (8bit): | 5.119720931145611 |
| Encrypted: | false |
| SSDEEP: | 6:O/oPn4xRPjwx1lDKHMoEEjLgpW2MezvLdNWYpPM/ioVLa8l6i7s:XeR7wx6JjjqW2MePBPM/ioU8l6J |
| MD5: | 7067AF414215EE4C50BFCD3EA43C84F0 |
| SHA1: | C331D410672477844A4CA87F43A14E643C863AF9 |
| SHA-256: | 2050CC232710A2EA6A207BC78D1EAC66A4042F2EE701CDFEEE5DE3DDCDC31D12 |
| SHA-512: | 17B888087192BCEA9F56128D0950423B1807E294D1C4F953D1BF0F5BD08E5F8E35AFEEE584EBF9233BFC44E0723DB3661911415798159AC118C8A42AAF0B902F |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18808 |
| Entropy (8bit): | 6.22028391196942 |
| Encrypted: | false |
| SSDEEP: | 192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih |
| MD5: | A0B9388C5F18E27266A31F8C5765B263 |
| SHA1: | 906F7E94F841D464D4DA144F7C858FA2160E36DB |
| SHA-256: | 313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A |
| SHA-512: | 6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD |
| Malicious: | false |
| Yara Hits: |
|
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 3735416 |
| Entropy (8bit): | 6.525042992590476 |
| Encrypted: | false |
| SSDEEP: | 49152:cTXNZ+0ci2aYNT8wstdAukudJ1xTvIZamclSp+73mPu:cTXNo0cpKwstTJIkS43mm |
| MD5: | 00587238D16012152C2E951A087F2CC9 |
| SHA1: | C4E27A43075CE993FF6BB033360AF386B2FC58FF |
| SHA-256: | 63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8 |
| SHA-512: | 637950A1F78D3F3D02C30A49A16E91CF3DFCCC59104041876789BD7FDF9224D187209547766B91404C67319E13D1606DA7CEC397315495962CBF3E2CCD5F1226 |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 396664 |
| Entropy (8bit): | 6.809064783360712 |
| Encrypted: | false |
| SSDEEP: | 12288:OpwbUb48Ju0LIFZB4Qaza4yFaMHAZtJ4Yew2j/bJa+neNQ:epq7BaGIn4BbLneNQ |
| MD5: | EAB603D12705752E3D268D86DFF74ED4 |
| SHA1: | 01873977C871D3346D795CF7E3888685DE9F0B16 |
| SHA-256: | 6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA |
| SHA-512: | 77DE0D9C93CCBA967DB70B280A85A770B3D8BEA3B707B1ABB037B2826B48898FEC87924E1A6CCE218C43478E5209E9EB9781051B4C3B450BEA3CD27DBD32C7F3 |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 105848 |
| Entropy (8bit): | 4.68250265552195 |
| Encrypted: | false |
| SSDEEP: | 384:qTjV5+6j6Qa86Fkv2Wr120hZIqeTSGRp2TkFimMP:qHVZl6FhWr80/heT8TkFiH |
| MD5: | 8D9709FF7D9C83BD376E01912C734F0A |
| SHA1: | E3C92713CE1D7EAA5E2B1FABEB06CDC0BB499294 |
| SHA-256: | 49A568F8AC11173E3A0D76CFF6BC1D4B9BDF2C35C6D8570177422F142DCFDBE3 |
| SHA-512: | 042AD89ED2E15671F5DF67766D11E1FA7ADA8241D4513E7C8F0D77B983505D63EBFB39FEFA590A2712B77D7024C04445390A8BF4999648F83DBAB6B0F04EB2EE |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 702 |
| Entropy (8bit): | 5.533600243545568 |
| Encrypted: | false |
| SSDEEP: | 12:Yrqzd+mPZGS/py6z8BlsVTXuZ7+DP981E7GXXfDWQClnmSu3vbIAlkz6:cqzEmPZly6YBlLoG1fXXfDievbIAaz6 |
| MD5: | 4D273ADEC8E85615509D57EF7DA5A6DA |
| SHA1: | 601CA5C56475C09DAA007DC843E3042B504C1096 |
| SHA-256: | 7780AC164E450F9E87D7BC3F80DFBE4BFF742D347FAA69C86FAF3161699E2C6C |
| SHA-512: | 6AAD722A9B0E8F02970BF05FEFDE7387973CFADD4BBFC8A09B8F342F621317810A7480AAF85A15F511E333B61599C79B1D3B4EAB13907CBE968A0416681AD9BC |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 773968 |
| Entropy (8bit): | 6.901559811406837 |
| Encrypted: | false |
| SSDEEP: | 12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z |
| MD5: | 0E37FBFA79D349D672456923EC5FBBE3 |
| SHA1: | 4E880FC7625CCF8D9CA799D5B94CE2B1E7597335 |
| SHA-256: | 8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18 |
| SHA-512: | 2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630 |
| Malicious: | false |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 328 |
| Entropy (8bit): | 4.93007757242403 |
| Encrypted: | false |
| SSDEEP: | 6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn |
| MD5: | 26E28C01461F7E65C402BDF09923D435 |
| SHA1: | 1D9B5CFCC30436112A7E31D5E4624F52E845C573 |
| SHA-256: | D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368 |
| SHA-512: | C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7 |
| Malicious: | false |
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 33144 |
| Entropy (8bit): | 6.737780491933496 |
| Encrypted: | false |
| SSDEEP: | 768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ |
| MD5: | DCDE2248D19C778A41AA165866DD52D0 |
| SHA1: | 7EC84BE84FE23F0B0093B647538737E1F19EBB03 |
| SHA-256: | 9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917 |
| SHA-512: | C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166 |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\user\Desktop\file.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 77224 |
| Entropy (8bit): | 6.793971095882093 |
| Encrypted: | false |
| SSDEEP: | 1536:zfafvTuNOwphKuyUHTqYXHhrXH4+LIyrxomee/+5IrAee/DIr3:jafLSpAFUzt0+LIyr7eR5IUeCIz |
| MD5: | 325B65F171513086438952A152A747C4 |
| SHA1: | A1D1C397902FF15C4929A03D582B09B35AA70FC0 |
| SHA-256: | 26DBB528C270C812423C3359FC54D13C52D459CC0E8BC9B0D192725EDA34E534 |
| SHA-512: | 6829555AB3851064C3AAD2D0C121077DB0260790B95BF087B77990A040FEBD35B8B286F1593DCCAA81B24395BD437F5ADD02037418FD5C9C8C78DC0989A9A10D |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
| Process: | C:\Users\Public\Pictures\bild.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 15 |
| Entropy (8bit): | 2.7329145639793984 |
| Encrypted: | false |
| SSDEEP: | 3:QJgTG:QkG |
| MD5: | 8AB0D91EF06123198FFAC30AD08A14C7 |
| SHA1: | 46D83BB84F74D8F28427314C6084CC9AFE9D1533 |
| SHA-256: | DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12 |
| SHA-512: | 1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3 |
| Malicious: | false |
| Preview: |
| File type: | |
| Entropy (8bit): | 7.940357211110643 |
| TrID: |
|
| File name: | file.exe |
| File size: | 2'137'944 bytes |
| MD5: | 17f5a1ae03a0ff4eb038527de02e8860 |
| SHA1: | 66e04a8d2fbe629115cad3f39bedc33256a8f35a |
| SHA256: | 6a8f94da45c0b3b791bbfb71b2e9a7cc6bd5dd777da0655ebc3137ad4070c72f |
| SHA512: | 4a70492bfc1c65e58631628c7edfe0f993bb155a63596f611bdfcc131509c9f92e204289690f83648d099fc6afee3a6d828e8cc506b1a50836b3396a9651b2d9 |
| SSDEEP: | 49152:VIfX6Rm0EkHbG+tw6NbHHBp7k5hhelN6YawnqzKwgVRD:VI/PYwYt5ShAiYawvw2 |
| TLSH: | 20A52302F9C6C5B2D53308360A68AB55797DBF342F28D96FA78D5E1ACA301917338A53 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~..............b.......b..<....b......)^...................................................... ....... .......%....... ...... |
 | |
| Icon Hash: | 1515d4d4442f2d2d |
| Entrypoint: | 0x41d779 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C72EA7E [Sun Feb 24 19:03:26 2019 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 00be6e6c4f9e287672c8301b72bdabf3 |
| Instruction |
|---|
| call 00007F8E8CAF406Fh |
| jmp 00007F8E8CAF3A63h |
| cmp ecx, dword ptr [0043A1C8h] |
| jne 00007F8E8CAF3BD5h |
| ret |
| jmp 00007F8E8CAF41E6h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 00430FE8h |
| mov dword ptr [ecx], 00431994h |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| push dword ptr [ebp+08h] |
| mov esi, ecx |
| call 00007F8E8CAE716Dh |
| mov dword ptr [esi], 004319A0h |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| and dword ptr [ecx+04h], 00000000h |
| mov eax, ecx |
| and dword ptr [ecx+08h], 00000000h |
| mov dword ptr [ecx+04h], 004319A8h |
| mov dword ptr [ecx], 004319A0h |
| ret |
| lea eax, dword ptr [ecx+04h] |
| mov dword ptr [ecx], 00431988h |
| push eax |
| call 00007F8E8CAF6D7Eh |
| pop ecx |
| ret |
| push ebp |
| mov ebp, esp |
| push esi |
| mov esi, ecx |
| lea eax, dword ptr [esi+04h] |
| mov dword ptr [esi], 00431988h |
| push eax |
| call 00007F8E8CAF6D67h |
| test byte ptr [ebp+08h], 00000001h |
| pop ecx |
| je 00007F8E8CAF3BDCh |
| push 0000000Ch |
| push esi |
| call 00007F8E8CAF31A2h |
| pop ecx |
| pop ecx |
| mov eax, esi |
| pop esi |
| pop ebp |
| retn 0004h |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007F8E8CAF3B3Eh |
| push 00437B58h |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007F8E8CAF6466h |
| int3 |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x38cd0 | 0x34 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x38d04 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x5d000 | 0xe034 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6c000 | 0x1fd0 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x36ee0 | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x31928 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x30000 | 0x25c | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x38254 | 0x120 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2e864 | 0x2ea00 | 8c2dd3ebce78edeed565107466ae1d3e | False | 0.5908595844504021 | data | 6.693477406609911 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x30000 | 0x9aac | 0x9c00 | b8d3a709e8e2861298e51f270be0f883 | False | 0.45718149038461536 | data | 5.133828516884417 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x3a000 | 0x213d0 | 0xc00 | 7a066b052b7178cd1388c71d17dec570 | False | 0.2789713541666667 | data | 3.2428863859698565 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .gfids | 0x5c000 | 0xe8 | 0x200 | 0a8129f1f5d2e8ddcb61343ecd6f891a | False | 0.33984375 | data | 2.0959167744603624 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .rsrc | 0x5d000 | 0xe034 | 0xe200 | d62594e063ef25acc085c21831d77a75 | False | 0.6341779590707964 | data | 6.802287495720703 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x6c000 | 0x1fd0 | 0x2000 | 983e78af74da826d9233ebaa3055869a | False | 0.8060302734375 | data | 6.687357530503152 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| PNG | 0x5d644 | 0xb45 | PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced | 1.0027729636048528 | ||
| PNG | 0x5e18c | 0x15a9 | PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced | 0.9363390441839495 | ||
| RT_ICON | 0x5f738 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors | 0.47832369942196534 | ||
| RT_ICON | 0x5fca0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors | 0.5410649819494585 | ||
| RT_ICON | 0x60548 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors | 0.4933368869936034 | ||
| RT_ICON | 0x613f0 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m | 0.5390070921985816 | ||
| RT_ICON | 0x61858 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m | 0.41393058161350843 | ||
| RT_ICON | 0x62900 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m | 0.3479253112033195 | ||
| RT_ICON | 0x64ea8 | 0x3d71 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | 0.9809269502193401 | ||
| RT_DIALOG | 0x68c1c | 0x2a2 | data | 0.5296735905044511 | ||
| RT_DIALOG | 0x68ec0 | 0x13a | data | 0.6624203821656051 | ||
| RT_DIALOG | 0x68ffc | 0xf2 | data | 0.71900826446281 | ||
| RT_DIALOG | 0x690f0 | 0x14e | data | 0.5868263473053892 | ||
| RT_DIALOG | 0x69240 | 0x318 | data | 0.476010101010101 | ||
| RT_DIALOG | 0x69558 | 0x24a | data | 0.6262798634812287 | ||
| RT_STRING | 0x697a4 | 0x1fc | data | 0.421259842519685 | ||
| RT_STRING | 0x699a0 | 0x246 | data | 0.41924398625429554 | ||
| RT_STRING | 0x69be8 | 0x1dc | data | 0.5105042016806722 | ||
| RT_STRING | 0x69dc4 | 0xdc | data | 0.65 | ||
| RT_STRING | 0x69ea0 | 0x468 | data | 0.375 | ||
| RT_STRING | 0x6a308 | 0x164 | data | 0.5056179775280899 | ||
| RT_STRING | 0x6a46c | 0xe4 | data | 0.6359649122807017 | ||
| RT_STRING | 0x6a550 | 0x158 | data | 0.4563953488372093 | ||
| RT_STRING | 0x6a6a8 | 0xe8 | data | 0.5948275862068966 | ||
| RT_STRING | 0x6a790 | 0xe6 | data | 0.5695652173913044 | ||
| RT_GROUP_ICON | 0x6a878 | 0x68 | data | 0.7019230769230769 | ||
| RT_MANIFEST | 0x6a8e0 | 0x753 | XML 1.0 document, ASCII text, with CRLF line terminators | 0.3957333333333333 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer |
| gdiplus.dll | GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-10-25T18:15:26.602287+0200 | 2827745 | ETPRO MALWARE NetSupport RAT CnC Activity | 1 | 192.168.2.4 | 49730 | 185.215.113.67 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 25, 2024 18:15:26.602287054 CEST | 49730 | 443 | 192.168.2.4 | 185.215.113.67 |
| Oct 25, 2024 18:15:26.602329016 CEST | 443 | 49730 | 185.215.113.67 | 192.168.2.4 |
| Oct 25, 2024 18:15:26.603372097 CEST | 49730 | 443 | 192.168.2.4 | 185.215.113.67 |
| Oct 25, 2024 18:15:26.889214993 CEST | 49730 | 443 | 192.168.2.4 | 185.215.113.67 |
| Oct 25, 2024 18:15:26.889249086 CEST | 443 | 49730 | 185.215.113.67 | 192.168.2.4 |
| Oct 25, 2024 18:15:26.889317989 CEST | 443 | 49730 | 185.215.113.67 | 192.168.2.4 |
| Oct 25, 2024 18:15:27.569559097 CEST | 49731 | 80 | 192.168.2.4 | 172.67.68.212 |
| Oct 25, 2024 18:15:27.575170040 CEST | 80 | 49731 | 172.67.68.212 | 192.168.2.4 |
| Oct 25, 2024 18:15:27.575294018 CEST | 49731 | 80 | 192.168.2.4 | 172.67.68.212 |
| Oct 25, 2024 18:15:27.575520992 CEST | 49731 | 80 | 192.168.2.4 | 172.67.68.212 |
| Oct 25, 2024 18:15:27.581377029 CEST | 80 | 49731 | 172.67.68.212 | 192.168.2.4 |
| Oct 25, 2024 18:15:28.385013103 CEST | 80 | 49731 | 172.67.68.212 | 192.168.2.4 |
| Oct 25, 2024 18:15:28.385202885 CEST | 49731 | 80 | 192.168.2.4 | 172.67.68.212 |
| Oct 25, 2024 18:17:17.129236937 CEST | 49731 | 80 | 192.168.2.4 | 172.67.68.212 |
| Oct 25, 2024 18:17:17.136758089 CEST | 80 | 49731 | 172.67.68.212 | 192.168.2.4 |
| Oct 25, 2024 18:17:17.141108036 CEST | 49731 | 80 | 192.168.2.4 | 172.67.68.212 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Oct 25, 2024 18:15:27.476547003 CEST | 61408 | 53 | 192.168.2.4 | 1.1.1.1 |
| Oct 25, 2024 18:15:27.487157106 CEST | 53 | 61408 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Oct 25, 2024 18:15:27.476547003 CEST | 192.168.2.4 | 1.1.1.1 | 0x2b86 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Oct 25, 2024 18:15:27.487157106 CEST | 1.1.1.1 | 192.168.2.4 | 0x2b86 | No error (0) | 172.67.68.212 | A (IP address) | IN (0x0001) | false | ||
| Oct 25, 2024 18:15:27.487157106 CEST | 1.1.1.1 | 192.168.2.4 | 0x2b86 | No error (0) | 104.26.0.231 | A (IP address) | IN (0x0001) | false | ||
| Oct 25, 2024 18:15:27.487157106 CEST | 1.1.1.1 | 192.168.2.4 | 0x2b86 | No error (0) | 104.26.1.231 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 185.215.113.67 | 443 | 6096 | C:\Users\Public\Pictures\bild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Oct 25, 2024 18:15:26.889214993 CEST | 220 | OUT |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.68.212 | 80 | 6096 | C:\Users\Public\Pictures\bild.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| Oct 25, 2024 18:15:27.575520992 CEST | 118 | OUT | |
| Oct 25, 2024 18:15:28.385013103 CEST | 931 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 12:15:24 |
| Start date: | 25/10/2024 |
| Path: | C:\Users\user\Desktop\file.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xb90000 |
| File size: | 2'137'944 bytes |
| MD5 hash: | 17F5A1AE03A0FF4EB038527DE02E8860 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 12:15:25 |
| Start date: | 25/10/2024 |
| Path: | C:\Users\Public\Pictures\bild.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xdb0000 |
| File size: | 105'848 bytes |
| MD5 hash: | 8D9709FF7D9C83BD376E01912C734F0A |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | moderate |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 10.4% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 9.8% |
| Total number of Nodes: | 1490 |
| Total number of Limit Nodes: | 26 |
Graph
Function 00BAC131 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 199filesleeptimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA8BD0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorywindowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9A273 Relevance: 7.6, APIs: 5, Instructions: 108fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B98409 Relevance: 3.9, APIs: 2, Instructions: 888COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA5984 Relevance: .3, Instructions: 325COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9F353 Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314libraryfileloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAAA45 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438windowfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAB70E Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9F9D1 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9973D Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99613 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB77D1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA991E Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9FBB1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99BC8 Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99E86 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9C413 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB7A09 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB784C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB8618 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B91383 Relevance: 3.1, APIs: 2, Instructions: 96COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9137E Relevance: 3.1, APIs: 2, Instructions: 94COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB8457 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B994F1 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99A12 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB7735 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99AEB Relevance: 3.1, APIs: 2, Instructions: 54COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99897 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB5AEA Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9D142 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9FCA6 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9A0C3 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC0D0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99DAC Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99E13 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9F309 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA8924 Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA909E Relevance: 3.0, APIs: 2, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB0CA6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B912C2 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9FC30 Relevance: 2.5, APIs: 2, Instructions: 46COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B919B1 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9820B Relevance: 1.6, APIs: 1, Instructions: 110COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA21E6 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA9485 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B990D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB8EE4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9A6A9 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB5A8D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB59FC Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B95B35 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9A145 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B91E8E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B91E93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9F8F2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA8B65 Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9971A Relevance: 1.5, APIs: 1, Instructions: 15COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BABF77 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC7B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC7C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC726 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC75F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC74B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC741 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC7B1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC7A7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC782 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC778 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC76E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC75A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B99B6A Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA9023 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B994A3 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAA537 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B97070 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BBA35E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA932F Relevance: 3.0, APIs: 2, Instructions: 46COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B93FC5 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9A8E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BADBC3 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB8AAA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA4FB5 Relevance: .8, Instructions: 800COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA63F2 Relevance: .8, Instructions: 773COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9E045 Relevance: .7, Instructions: 694COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA5DB9 Relevance: .5, Instructions: 509COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9BA1A Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAF693 Relevance: .3, Instructions: 345COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAFAC8 Relevance: .3, Instructions: 341COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAF25E Relevance: .3, Instructions: 331COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAEE46 Relevance: .3, Instructions: 323COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9D5E4 Relevance: .3, Instructions: 318COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA2DB5 Relevance: .3, Instructions: 263COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB2B78 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA30E6 Relevance: .2, Instructions: 232COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9D1D2 Relevance: .2, Instructions: 190COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9DBE2 Relevance: .2, Instructions: 154COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9EC97 Relevance: .1, Instructions: 131COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA2B3A Relevance: .1, Instructions: 112COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B95E96 Relevance: .1, Instructions: 76COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAB8BC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB622B Relevance: 15.1, APIs: 10, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA995F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9922D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA7EE5 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 124memoryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9FE20 Relevance: 12.1, APIs: 8, Instructions: 117timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BBC56D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BAC7FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
Download Yara Rule
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA0050 Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA8206 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9FB02 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB4ADF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9DEB5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB89AF Relevance: 7.6, APIs: 5, Instructions: 68COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB553F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BA9A76 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00BB0B66 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B97619 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00B9FAC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 6.2% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 14.9% |
| Total number of Nodes: | 2000 |
| Total number of Limit Nodes: | 101 |
Graph
Function 1109E190 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11029590 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11061C90 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11143570 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11139090 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474windowthreadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11115B70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1109E910 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1109D440 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1109D4D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1102E640 Relevance: 241.6, APIs: 31, Strings: 106, Instructions: 1869windowthreadsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Control-flow Graph
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110A9C90 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11133920 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278libraryloadertimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1102DBC9 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111414A0 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266libraryregistryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110285F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11086700 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11141890 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11074A00 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11108D30 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11138C30 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110281A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11085E10 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110304B8 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1102C410 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11061700 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11133E80 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1102CC10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111450A0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11026BA0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11102C50 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111100D0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110607F0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1115BA20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11145440 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11015010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11144BD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11107290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11017300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11017220 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11025D00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1110F2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11102AB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11145330 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1110F420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11145AE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1100ED70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11143230 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110271B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111377F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11070C60 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00DB1020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11143C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1110F4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1115BDE0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11111430 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1109E9E0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11068950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110ED1A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110ED160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111463D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11025CD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11014F80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11074DC0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110883D0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11144440 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11144EA0 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110106C0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11143000 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110FACC0 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11170166 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111672E3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00DB1000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1102D330 Relevance: 70.6, APIs: 21, Strings: 19, Instructions: 575sleepfileshutdownCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11113290 Relevance: 44.0, APIs: 29, Instructions: 470windowsleepkeyboardCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1103B160 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 196fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110CB2B0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 168windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110F33F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 79pipesleepmemoryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11063160 Relevance: 149.1, APIs: 42, Strings: 43, Instructions: 353libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11005360 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11015290 Relevance: 43.7, APIs: 29, Instructions: 170COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110FF3C0 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 207synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110EB120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 141windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 111352B0 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 260windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11125200 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 240comwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11031160 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1102310A Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 363windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11027270 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 136threadwindowsleepCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11105340 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11137340 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11047160 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 330windowtimeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11005190 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1101D1B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100registryCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1103D160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98synchronizationCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1112B270 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11037230 Relevance: 13.6, APIs: 9, Instructions: 149COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11113150 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110B73D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141synchronizationCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11027030 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122windowsleepCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110B90A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104timeCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1112B340 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110F1270 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85fileCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11003380 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11003290 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11119160 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110573B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11143360 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110B9000 Relevance: 10.6, APIs: 7, Instructions: 58COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1100B270 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1101D0F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrywindowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11003310 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11147110 Relevance: 9.0, APIs: 6, Instructions: 48threadsynchronizationCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11143110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110450BD Relevance: 7.9, APIs: 5, Instructions: 401COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11045160 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110253D0 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11021300 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165windowCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110893D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110291D0 Relevance: 6.1, APIs: 4, Instructions: 104sleepthreadwindowCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110B3230 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110B3340 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11113240 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110071A5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110ED250 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 1109D3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11029170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29threadCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|