Edit tour

Windows Analysis Report
re.exe

Overview

General Information

Sample name:	re.exe
Analysis ID:	1545841
MD5:	dd22cb80ecef115e6f102db1fc33b99b
SHA1:	dfd3f46c7438e835f2e339db3bd5c5b118cfd15a
SHA256:	88ee723fde45e51459624f7bfb3a9fbeab82ccac444823b83ced60aacd71dc8f
Tags:	exeuser-lontze7
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to start reverse TCP shell (cmd.exe)

Sigma detected: Potentially Suspicious Malware Callback Communication

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

re.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\re.exe" MD5: DD22CB80ECEF115E6F102DB1FC33B99B)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 87.120.113.125, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\Desktop\re.exe, Initiated: true, ProcessId: 7644, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: re.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\re.exe

Code function: 4x nop then push rbx

0_2_00007FF633A61CE3

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 87.120.113.125:4444

Source: Joe Sandbox View

ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG

Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125
Source: unknown	TCP traffic detected without corresponding DNS query: 87.120.113.125

Source: C:\Users\user\Desktop\re.exe

Code function: 0_2_00007FF633A629B0 Sleep,SleepEx,WSAStartup,WSASocketA,WSASocketA,inet_addr,htons,WSAConnect,WSAConnect,closesocket,WSACleanup,recv,recv,closesocket,closesocket,WSACleanup,memset,CreateProcessA,WaitForSingleObject,CloseHandle,CloseHandle,memset,recv,closesocket,WSACleanup,

0_2_00007FF633A629B0

Source: re.exe

Static PE information: Number of sections : 11 > 10

Source: classification engine

Classification label: mal52.troj.winEXE@2/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03

Source: re.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\re.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\re.exe "C:\Users\user\Desktop\re.exe"
Source: C:\Users\user\Desktop\re.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\re.exe

Section loaded: mswsock.dll

Jump to behavior

Source: re.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: re.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: re.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A68368 push rbp; retf	0_2_00007FF633A6836B
Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A68358 push rsi; retf	0_2_00007FF633A68363
Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A68398 push rbp; retf	0_2_00007FF633A6839B
Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A683A0 push rsi; retf	0_2_00007FF633A683AB
Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A68380 push rbp; retf	0_2_00007FF633A68383

Source: C:\Users\user\Desktop\re.exe TID: 7648

Thread sleep time: -100000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\re.exe

Last function: Thread delayed

Source: re.exe, 00000000.00000002.2645972281.00000204C92AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWwsoc%SystemRoot%\system32\mswsock.dll
Source: re.exe, 00000000.00000002.2645972281.00000204C92AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWK

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A61180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,exit,	0_2_00007FF633A61180
Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A6295A SetUnhandledExceptionFilter,	0_2_00007FF633A6295A
Source: C:\Users\user\Desktop\re.exe	Code function: 0_2_00007FF633A68380 SetUnhandledExceptionFilter,	0_2_00007FF633A68380

Remote Access Functionality

Contains functionality to start reverse TCP shell (cmd.exe)

Source: C:\Users\user\Desktop\re.exe

0_2_00007FF633A629B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
re.exe	5%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.113.125	unknown	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545841
Start date and time:	2024-10-31 06:47:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	re.exe
Detection:	MAL
Classification:	mal52.troj.winEXE@2/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: re.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
87.120.113.125	demon.exe	Get hash	malicious	Havoc	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNACS-AS-BG8000BurgasBG	demon.exe	Get hash	malicious	Havoc	Browse	87.120.113.125
	3u8A2xjbBT.exe	Get hash	malicious	LiteHTTP Bot	Browse	87.120.126.5
	CARDFACTORYAccess Program, Tuesday, October 29, 2024.eml	Get hash	malicious	HTMLPhisher	Browse	87.120.113.115
	bLaLoo4ET5.exe	Get hash	malicious	Quasar	Browse	87.120.116.115
	Transferencia.doc	Get hash	malicious	Quasar	Browse	87.120.116.115
	1XZFfxyWZA.exe	Get hash	malicious	RedLine	Browse	87.120.115.20
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	87.120.126.33
	roquette October.pdf	Get hash	malicious	HTMLPhisher	Browse	87.120.126.33
	https://anviict.com/?qvtvxymb	Get hash	malicious	HTMLPhisher	Browse	87.120.125.203
	t50.elf	Get hash	malicious	Xmrig	Browse	87.120.117.189

File type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.1071141650389125
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	re.exe
File size:	19'968 bytes
MD5:	dd22cb80ecef115e6f102db1fc33b99b
SHA1:	dfd3f46c7438e835f2e339db3bd5c5b118cfd15a
SHA256:	88ee723fde45e51459624f7bfb3a9fbeab82ccac444823b83ced60aacd71dc8f
SHA512:	55eca58fa5a51fc1fe2e77177c06d4e9cf1d1079ad5373b336c8fb6daf1b08fbf5ae21970e49d046abf27a95021223efb1204ace7de954fe3a93e3143f2828d2
SSDEEP:	192:rV9A/rARcJeFQAUOVgUBZIcK9IPO9ZKShMyGA3IUSoTTTTTTTTTTTTTTTTTTTTTy:rVYsRseFX5vL2kO9wJbPZhYsBIkCW
TLSH:	D192091EB71658ECC787C1B4D2EB4B72EEB6BD16022062391214F2391E35DA2DE7F605
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....F g...............*.....J.................@.....................................U....`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x672046DF [Tue Oct 29 02:22:23 2024 UTC]
TLS Callbacks:	0x400015a0, 0x1, 0x40001570, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0f15d8212ccc6a485ec40b0f2cb15303

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00003005h]
mov dword ptr [eax], 00000000h
call 00007FF6D08F629Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007FF6D08F77BCh
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007FF6D08F64F9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp dword ptr [0000712Ah]
nop
nop
jmp dword ptr [0000711Ah]
nop
nop
jmp dword ptr [0000710Ah]
nop
nop
jmp dword ptr [000070FAh]
nop
nop
jmp dword ptr [000070EAh]
nop
nop
jmp dword ptr [000070DAh]
nop
nop
jmp dword ptr [000070CAh]
nop
nop
jmp dword ptr [000070BAh]
nop
nop
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00001B65h]
dec eax
mov eax, dword ptr [eax]
dec eax
test eax, eax
je 00007FF6D08F6544h
nop dword ptr [eax+eax+00h]
call eax
dec eax
mov eax, dword ptr [00001B4Fh]
dec eax
lea edx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [eax+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8000	0xbd0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5000	0x264	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0x90	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4040	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8340	0x250	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d98	0x1e00	150bf272b5d7eb44dba1e7e1cc6f2672	False	0.558203125	data	5.880571877186384	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3000	0x100	0x200	91c0f3b655372a9f6361f4b9654be824	False	0.193359375	data	1.4396691916168416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4000	0xa90	0xc00	057bf69255acb6be3c2d33b503f48ecc	False	0.19889322916666666	data	4.467551377251061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x5000	0x264	0x400	cd880c1930c68f755a92655748beb431	False	0.3466796875	data	2.62058338570906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x6000	0x1e0	0x200	5752b5f8977e5562b6ef25d63abd9cf0	False	0.43359375	data	3.6768225053484747	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x7000	0x180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x8000	0xbd0	0xc00	6b915218920bc9126fc0073de6c07b5e	False	0.3401692708333333	data	4.037243653299285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x9000	0x60	0x200	1b4cf2a002c45f387d7940a48fcbfa9b	False	0.068359375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb000	0x4e8	0x600	3b7f4d778dd55680650e27ddd712b430	False	0.333984375	data	4.778477168376261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0x90	0x200	bf1b9dd3acd0e7526ebd55072de13a12	False	0.267578125	data	1.6932143824916048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xb058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
KERNEL32.dll	CloseHandle, CreateProcessA, DeleteCriticalSection, EnterCriticalSection, FreeConsole, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
api-ms-win-crt-convert-l1-1-0.dll	atoi
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-private-l1-1-0.dll	__C_specific_handler, memcpy
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, __p___wargv, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, signal
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, fwrite
api-ms-win-crt-string-l1-1-0.dll	memset, strcmp, strlen, strncmp
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _tzset
WS2_32.dll	WSACleanup, WSAConnect, WSASocketA, WSAStartup, closesocket, htons, inet_addr, recv

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 06:48:07.927968025 CET	49706	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:07.932920933 CET	4444	49706	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:07.933104038 CET	49706	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:08.524280071 CET	4444	49706	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:08.525690079 CET	49706	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:08.525768995 CET	49706	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:08.530615091 CET	4444	49706	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:13.649826050 CET	49707	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:13.655242920 CET	4444	49707	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:13.655352116 CET	49707	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:14.240151882 CET	4444	49707	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:14.240243912 CET	49707	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:14.240328074 CET	49707	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:14.245120049 CET	4444	49707	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:19.257155895 CET	49710	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:19.262454033 CET	4444	49710	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:19.262561083 CET	49710	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:19.847953081 CET	4444	49710	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:19.848623991 CET	49710	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:19.848731041 CET	49710	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:19.853498936 CET	4444	49710	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:24.873054981 CET	49712	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:24.878004074 CET	4444	49712	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:24.878202915 CET	49712	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:25.480544090 CET	4444	49712	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:25.480681896 CET	49712	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:25.480823040 CET	49712	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:25.485696077 CET	4444	49712	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:30.489274025 CET	49713	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:30.494259119 CET	4444	49713	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:30.494430065 CET	49713	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:31.080488920 CET	4444	49713	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:31.080596924 CET	49713	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:31.080729008 CET	49713	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:31.085760117 CET	4444	49713	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:36.097970009 CET	49714	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:36.103261948 CET	4444	49714	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:36.103347063 CET	49714	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:36.721168995 CET	4444	49714	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:36.721699953 CET	49714	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:36.722371101 CET	49714	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:36.742372036 CET	4444	49714	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:41.738253117 CET	49715	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:41.743318081 CET	4444	49715	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:41.743393898 CET	49715	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:42.362313986 CET	4444	49715	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:42.362392902 CET	49715	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:42.362478971 CET	49715	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:42.367285013 CET	4444	49715	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:47.378658056 CET	49716	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:47.383527040 CET	4444	49716	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:47.383656979 CET	49716	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:47.975528002 CET	4444	49716	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:47.975600958 CET	49716	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:47.975687027 CET	49716	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:47.980463028 CET	4444	49716	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:52.989026070 CET	49717	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:52.994002104 CET	4444	49717	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:52.994141102 CET	49717	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:53.593972921 CET	4444	49717	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:53.594048977 CET	49717	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:53.594140053 CET	49717	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:53.598927975 CET	4444	49717	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:58.614403963 CET	49719	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:58.619235039 CET	4444	49719	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:58.619319916 CET	49719	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:59.207088947 CET	4444	49719	87.120.113.125	192.168.2.8
Oct 31, 2024 06:48:59.207202911 CET	49719	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:59.207281113 CET	49719	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:48:59.212203026 CET	4444	49719	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:04.224663973 CET	49720	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:04.229856014 CET	4444	49720	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:04.230102062 CET	49720	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:04.824038029 CET	4444	49720	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:04.824223995 CET	49720	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:04.824320078 CET	49720	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:04.829317093 CET	4444	49720	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:09.842686892 CET	49721	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:09.847598076 CET	4444	49721	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:09.847687960 CET	49721	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:10.446233034 CET	4444	49721	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:10.446449041 CET	49721	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:10.446536064 CET	49721	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:10.451361895 CET	4444	49721	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:15.457849979 CET	49722	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:15.463231087 CET	4444	49722	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:15.463310957 CET	49722	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:16.055738926 CET	4444	49722	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:16.055908918 CET	49722	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:16.055984020 CET	49722	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:16.060873985 CET	4444	49722	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:21.067365885 CET	49723	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:21.073280096 CET	4444	49723	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:21.073380947 CET	49723	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:21.662348032 CET	4444	49723	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:21.662472963 CET	49723	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:21.662565947 CET	49723	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:21.667504072 CET	4444	49723	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:26.682745934 CET	49724	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:26.687679052 CET	4444	49724	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:26.688369989 CET	49724	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:27.273572922 CET	4444	49724	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:27.273654938 CET	49724	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:27.273708105 CET	49724	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:27.278675079 CET	4444	49724	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:32.335473061 CET	49725	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:32.341316938 CET	4444	49725	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:32.341780901 CET	49725	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:32.933727026 CET	4444	49725	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:32.933938026 CET	49725	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:32.934025049 CET	49725	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:32.938849926 CET	4444	49725	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:37.942584991 CET	49726	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:37.948545933 CET	4444	49726	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:37.948637009 CET	49726	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:38.540143013 CET	4444	49726	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:38.540282965 CET	49726	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:38.540343046 CET	49726	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:38.546551943 CET	4444	49726	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:43.552160025 CET	49727	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:43.557066917 CET	4444	49727	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:43.557183981 CET	49727	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:44.157397032 CET	4444	49727	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:44.157473087 CET	49727	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:44.160216093 CET	49727	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:44.165215015 CET	4444	49727	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:49.176892042 CET	49728	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:49.181926966 CET	4444	49728	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:49.182018995 CET	49728	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:49.777498007 CET	4444	49728	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:49.777616024 CET	49728	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:49.777678013 CET	49728	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:49.782783031 CET	4444	49728	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:54.785866022 CET	49729	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:54.790913105 CET	4444	49729	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:54.790988922 CET	49729	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:55.545593977 CET	4444	49729	87.120.113.125	192.168.2.8
Oct 31, 2024 06:49:55.545813084 CET	49729	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:55.545861959 CET	49729	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:49:55.550704002 CET	4444	49729	87.120.113.125	192.168.2.8
Oct 31, 2024 06:50:00.566876888 CET	49730	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:00.572129011 CET	4444	49730	87.120.113.125	192.168.2.8
Oct 31, 2024 06:50:00.572410107 CET	49730	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:01.158958912 CET	4444	49730	87.120.113.125	192.168.2.8
Oct 31, 2024 06:50:01.159024954 CET	49730	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:01.159097910 CET	49730	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:01.163990974 CET	4444	49730	87.120.113.125	192.168.2.8
Oct 31, 2024 06:50:06.175829887 CET	49731	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:06.181233883 CET	4444	49731	87.120.113.125	192.168.2.8
Oct 31, 2024 06:50:06.181817055 CET	49731	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:06.781821012 CET	4444	49731	87.120.113.125	192.168.2.8
Oct 31, 2024 06:50:06.781888008 CET	49731	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:06.781949043 CET	49731	4444	192.168.2.8	87.120.113.125
Oct 31, 2024 06:50:06.786756992 CET	4444	49731	87.120.113.125	192.168.2.8

Target ID:	0
Start time:	01:48:01
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\re.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\re.exe"
Imagebase:	0x7ff633a60000
File size:	19'968 bytes
MD5 hash:	DD22CB80ECEF115E6F102DB1FC33B99B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	01:48:01
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	199
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF633A629B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 151
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00007FF633A629D9
WSASocketA.WS2_32 ref: 00007FF633A62A1D
WSAConnect.WS2_32 ref: 00007FF633A62AA2
recv.WS2_32 ref: 00007FF633A62B0D
closesocket.WS2_32 ref: 00007FF633A62B2F
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF633A62B62
memset.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF633A62C3E

Strings

exit, xrefs: 00007FF633A62C9D
cmd.exe, xrefs: 00007FF633A62B3F

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: memset$ConnectSleepSocketclosesocketrecv
String ID: cmd.exe$exit
API String ID: 4229653474-2214786188
Opcode ID: 8f14fe6e2050afa5d9f05332c4cf168444f6b3255edf1fbeac50bca7d1f7eabe
Instruction ID: ad6cc97a291418e3948449516719d40aa6897359241a99a689e80b505cad0401
Opcode Fuzzy Hash: 8f14fe6e2050afa5d9f05332c4cf168444f6b3255edf1fbeac50bca7d1f7eabe
Instruction Fuzzy Hash: 74713971715B858DEB708F2AEC513E92365FB88B88F040136DA5D9BBA8DF7EC2418740

Function 00007FF633A61180 Relevance: 13.6, APIs: 9, Instructions: 145
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF633A61406), ref: 00007FF633A611BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF633A6122B
_set_invalid_parameter_handler.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF633A61406), ref: 00007FF633A61242
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF633A61406), ref: 00007FF633A6125F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF633A61406), ref: 00007FF633A61284
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF633A61406), ref: 00007FF633A61290
memcpy.API-MS-WIN-CRT-PRIVATE-L1-1-0(?,?,?,00007FF633A61406), ref: 00007FF633A612A8

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled_set_invalid_parameter_handlermemcpystrlen
String ID:
API String ID: 959198572-0
Opcode ID: 6d3d908b884f6b11db23c0c28ec46509c52d9d2f2be8693eec3fc5ce89aa2120
Instruction ID: 06908aab631c1eabac80b64f52e2f44f569a14bcc504f81038e4e80fc4c83744
Opcode Fuzzy Hash: 6d3d908b884f6b11db23c0c28ec46509c52d9d2f2be8693eec3fc5ce89aa2120
Instruction Fuzzy Hash: C651A836E19A4286FB509F2DE89727927A1BF85BC5F444035DE9DE7391CE3CE881A310

Function 00007FF633A62CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE(?,?,?,?,?,?,00000000,00007FF633A612EE,?,?,?,00007FF633A61406), ref: 00007FF633A62CEB

Part of subcall function 00007FF633A629B0: SleepEx.KERNELBASE ref: 00007FF633A629D9
Part of subcall function 00007FF633A629B0: WSASocketA.WS2_32 ref: 00007FF633A62A1D
Part of subcall function 00007FF633A629B0: WSAConnect.WS2_32 ref: 00007FF633A62AA2
Part of subcall function 00007FF633A629B0: recv.WS2_32 ref: 00007FF633A62B0D
Part of subcall function 00007FF633A629B0: closesocket.WS2_32 ref: 00007FF633A62B2F

Strings

113.125, xrefs: 00007FF633A62D2F
87.120.1, xrefs: 00007FF633A62D21

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: ConnectConsoleFreeSleepSocketclosesocketrecv
String ID: 113.125$87.120.1
API String ID: 2627751733-1215179673
Opcode ID: 6c9176bf0ae3556d74a375d2ef290c0d20a9a198bfeb47a2ab972564b4c067d6
Instruction ID: b941b564e0253de71e71167f3fd9805c01305e670661c860baae845c22be77e2
Opcode Fuzzy Hash: 6c9176bf0ae3556d74a375d2ef290c0d20a9a198bfeb47a2ab972564b4c067d6
Instruction Fuzzy Hash: 3F012C76F04B05CEEB00EF69D4421AD37A4FB80B89F504835DE1D67756DE38D6619780

Non-executed Functions

Function 00007FF633A61CE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CCG , xrefs: 00007FF633A61D05

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 350c4a24a48d2bf3026db58bc1ee444c0b8c6d39cdb072db54391b5dcb086980
Instruction ID: 203ec76ba52e058b0441626a52bd4cd4e75b9be368da93041f5079d1284c24ca
Opcode Fuzzy Hash: 350c4a24a48d2bf3026db58bc1ee444c0b8c6d39cdb072db54391b5dcb086980
Instruction Fuzzy Hash: 0621F260F0D10282FFB8126C85533B91A829F49394F184E35CAADE73D3EE2CE8C1A201

Function 00007FF633A6295A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6fa22c5483d9e8a30babd7439f948286ffb8a9121045deb7b9582bc73450fe
Instruction ID: 5a2c609d1a1da5b1748abc6d0354f6976fcac7f857cff079d6e631d9178fbb86
Opcode Fuzzy Hash: ec6fa22c5483d9e8a30babd7439f948286ffb8a9121045deb7b9582bc73450fe
Instruction Fuzzy Hash: BDB092DB48E6D04AD3074B3469220ACAF38F683A1170DA2A2D68C53A87CE2880A8C215

Function 00007FF633A68380 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction ID: 038cc99b61fe1a58f79dc842e8ffe6d2d7c0790616e2838ebdfb41b054369831
Opcode Fuzzy Hash: 7c307f67adb8aff98d3f095286b2b700dfcb55a183617c16c72d4ace8312b7d4
Instruction Fuzzy Hash:

Function 00007FF633A61750 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FF633A61921,?,?,?,?,?,?,00007FF633A64A88,00000000,00000001), ref: 00007FF633A617A0
VirtualQuery.KERNEL32 ref: 00007FF633A6186B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF633A61901
Mingw-w64 runtime failure:, xrefs: 00007FF633A61787
VirtualProtect failed with code 0x%x, xrefs: 00007FF633A618DE
Address %p has no image-section, xrefs: 00007FF633A617C2, 00007FF633A61915

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: QueryVirtual__acrt_iob_func
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 4109086920-1534286854
Opcode ID: a9d29c53c7ee766b526fe6c213e6b26998bff00daccef6cece7b970fe964ff2f
Instruction ID: 204f0b424c6fb7b4ce610c7784a686bff0a57919449ab4fb37669eb656bd06ec
Opcode Fuzzy Hash: a9d29c53c7ee766b526fe6c213e6b26998bff00daccef6cece7b970fe964ff2f
Instruction Fuzzy Hash: BA51D372F08B4682EB109B29E8426A97B60FF89BD4F445131EE4DA7394DF3CE985D740

Function 00007FF633A61930 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 240
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(00007FF633A67040,00007FF633A67048,00000001,?,?,?,?,?,00007FF633A61224,?,?,?,00007FF633A61406), ref: 00007FF633A61B0D

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF633A61C86
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF633A61C7A
Unknown pseudo relocation bit size %d., xrefs: 00007FF633A61C64

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: 2d30a1ca80dac58fc083fdc20a893ab69ae65ead77c9bf10cd80de4b8a216884
Instruction ID: cd1274c47434bc40a78fe34ddea39eae828c3eab9ff78caac61887f0b5bd69ac
Opcode Fuzzy Hash: 2d30a1ca80dac58fc083fdc20a893ab69ae65ead77c9bf10cd80de4b8a216884
Instruction Fuzzy Hash: AE91F636F1C51346FB108B2C99422792AA1BF517A4F148235DEADF77D4DE3CE852A740

Function 00007FF633A61640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Strings

Unknown error, xrefs: 00007FF633A6172C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 711238415-3474627141
Opcode ID: 308178d0e48bf9d8223b0d64f2ce86bfd9ff5aae4f097fbf640390cab72318ee
Instruction ID: 34b042cc607d1ebcf425538065fcacbc138447025f49632d6490bdc523927bde
Opcode Fuzzy Hash: 308178d0e48bf9d8223b0d64f2ce86bfd9ff5aae4f097fbf640390cab72318ee
Instruction Fuzzy Hash: FE015262D0CF8482E6018F1CE8011BA7331FF6E749F15A325EA8C66615DF2DE592D700

Function 00007FF633A616F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Part of subcall function 00007FF633A62580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF633A62713,?,?,00007FF633A67040,00007FF633A61341), ref: 00007FF633A625A8

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7
Partial loss of significance (PLOSS), xrefs: 00007FF633A616F0

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-4283191376
Opcode ID: b2340c8a5bc51ac53e0bda6723b9ea1a59269e9a79f9e66a77a7dbdf1feef069
Instruction ID: 73b6dffce148e5b3ef8f817aa27ba38491d6d3af8144a3caab1a2014ef7c2a69
Opcode Fuzzy Hash: b2340c8a5bc51ac53e0bda6723b9ea1a59269e9a79f9e66a77a7dbdf1feef069
Instruction Fuzzy Hash: 77F03656D0CE9482D2129F1CA4011BB7331FF5E798F195326EF8D76655DF2CE5829700

Function 00007FF633A616E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Part of subcall function 00007FF633A62580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF633A62713,?,?,00007FF633A67040,00007FF633A61341), ref: 00007FF633A625A8

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7
Argument domain error (DOMAIN), xrefs: 00007FF633A616E0

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-2713391170
Opcode ID: 45ee8f842956adf1d2ee2956740f9577c22b97645597d970257c6d522e4ce8b4
Instruction ID: c8f11b21f2f6267205d205d95538fd2ea710620eae26065f49bc0f1ea7471015
Opcode Fuzzy Hash: 45ee8f842956adf1d2ee2956740f9577c22b97645597d970257c6d522e4ce8b4
Instruction Fuzzy Hash: 18F09616C0CE8482D2028F1CA4011BB7331FF5E788F195326EF8D76655DF2CE5829700

Function 00007FF633A61720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Part of subcall function 00007FF633A62580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF633A62713,?,?,00007FF633A67040,00007FF633A61341), ref: 00007FF633A625A8

Strings

Total loss of significance (TLOSS), xrefs: 00007FF633A61720
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-4273532761
Opcode ID: 4900a876cdb530cf0a21da5860960bbb76dc8dcfd8b3f0cc6179878527e77f88
Instruction ID: adadee4bbdcba2f53fa9fbb633c899859683659f5e9ea71cd6fff80340211b8e
Opcode Fuzzy Hash: 4900a876cdb530cf0a21da5860960bbb76dc8dcfd8b3f0cc6179878527e77f88
Instruction Fuzzy Hash: 5CF03656D0CE8482D2129F1DA4011BB7331FF6D798F195326EF8D76655DF2CE5829700

Function 00007FF633A61710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Part of subcall function 00007FF633A62580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF633A62713,?,?,00007FF633A67040,00007FF633A61341), ref: 00007FF633A625A8

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF633A61710
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-2187435201
Opcode ID: 6e8a404368b8e8de0a6d961dd12833591fe20a5a5b46b3f8ce8a723a3836e9ac
Instruction ID: 00b78f3131cc4df967a28abcab8249bb42b56ba697be401baa0a5baf9ac807e4
Opcode Fuzzy Hash: 6e8a404368b8e8de0a6d961dd12833591fe20a5a5b46b3f8ce8a723a3836e9ac
Instruction Fuzzy Hash: 47F09616C08E8482D2038F1DA4010BB7331FF5E788F185326EF8D7A255DF2CE5829700

Function 00007FF633A61700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Part of subcall function 00007FF633A62580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF633A62713,?,?,00007FF633A67040,00007FF633A61341), ref: 00007FF633A625A8

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7
Overflow range error (OVERFLOW), xrefs: 00007FF633A61700

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-4064033741
Opcode ID: 8dbf9370b9be463bca2f0279e474c5d887e6dbe592ee19a11be92da974362acf
Instruction ID: 2f7cc3a15d1e89156318a6042e56ccff34f1ff57112546b8805bf64f3c65d02a
Opcode Fuzzy Hash: 8dbf9370b9be463bca2f0279e474c5d887e6dbe592ee19a11be92da974362acf
Instruction Fuzzy Hash: A1F01256D0CE9482D2129F1CA8011AB7331FF5E798F195326EE8D76655DF2CE5829700

Function 00007FF633A61678 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF633A61698

Part of subcall function 00007FF633A62580: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF633A62713,?,?,00007FF633A67040,00007FF633A61341), ref: 00007FF633A625A8

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF633A616A7
Argument singularity (SIGN), xrefs: 00007FF633A61678

Memory Dump Source

Source File: 00000000.00000002.2646194063.00007FF633A61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF633A60000, based on PE: true

Associated: 00000000.00000002.2646096756.00007FF633A60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646224574.00007FF633A63000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646247199.00007FF633A64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646274180.00007FF633A68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2646301168.00007FF633A6B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff633a60000_re.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 2168557111-2468659920
Opcode ID: 7744ef60b42bddec521ea1c97ba7799b41c783c3deabb4bc1e5aee6d0fad45fe
Instruction ID: f9954b35e0779260e082f328506d53fa7c25f7c6cea359b436d873b588665cb1
Opcode Fuzzy Hash: 7744ef60b42bddec521ea1c97ba7799b41c783c3deabb4bc1e5aee6d0fad45fe
Instruction Fuzzy Hash: BBF03012D08E9482D2029F2CA8011AB7335FF5E799F156326EF8D7A616DF2CE5829700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report re.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: re.exePID: 7644, Parent PID: 4084

General

Chronological Activities

Analysis Process: conhost.exePID: 7652, Parent PID: 7644

General

Chronological Activities

Windows Analysis Report
re.exe

Function 00007FF633A629B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 151
networkCOMMON

Function 00007FF633A61180 Relevance: 13.6, APIs: 9, Instructions: 145
sleepstringCOMMON

Function 00007FF633A62CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMON

Function 00007FF633A61CE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Function 00007FF633A61750 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138
COMMON

Function 00007FF633A61930 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 240
memoryCOMMON

Function 00007FF633A61640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Function 00007FF633A616F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF633A616E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF633A61720 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF633A61710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF633A61700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
COMMON

Function 00007FF633A61678 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
COMMON