Edit tour

Windows Analysis Report
94.159.113.82.dll.dll

Overview

General Information

Sample name:	94.159.113.82.dll.dll (renamed file extension from exe to dll)
Original sample name:	94.159.113.82.dll.exe
Analysis ID:	1545965
MD5:	e32d64da480b63435d9b559e718354d2
SHA1:	aff97210b69e95313c6b28d4bd87346f97b6c637
SHA256:	65bcd99f78a0ef84ada6e7ae4b349a915d08e150e38d76c15ed657cff2d8948c
Tags:	94-159-113-82--8888dllexeuser-JAMESWT_MHT
Infos:

Detection

Strela Stealer

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Strela Stealer

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 2808 cmdline: loaddll64.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3132 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 4476 cmdline: rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5952 cmdline: rundll32.exe C:\Users\user\Desktop\94.159.113.82.dll.dll,Entry MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3336 cmdline: rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",Entry MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.1454549340.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.1425795730.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 5952	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 4476	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 3336	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.7ff8e84ec404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.rundll32.exe.7ff8e84ec404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ff8e84ec404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ff8e84ec404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ff8e84ec404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.rundll32.exe.7ff8e84ec404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.rundll32.exe.7ff8e84a0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ff8e84a0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ff8e84a0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 4 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 94.159.113.82.dll.dll

ReversingLabs: Detection: 34%

Source: 94.159.113.82.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84A3330	3_2_00007FF8E84A3330
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84A2D30	3_2_00007FF8E84A2D30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84CE220	3_2_00007FF8E84CE220
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84C96B0	3_2_00007FF8E84C96B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84CF000	3_2_00007FF8E84CF000
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84E1420	3_2_00007FF8E84E1420
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84E9890	3_2_00007FF8E84E9890
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FF8E84E145B	3_2_00007FF8E84E145B
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000143A8441540	3_2_00000143A8441540
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000143A84471AC	3_2_00000143A84471AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000143A8441A30	3_2_00000143A8441A30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000143A844F3D8	3_2_00000143A844F3D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACABF3D8	4_2_000002DFACABF3D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACAB71AC	4_2_000002DFACAB71AC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACAB1540	4_2_000002DFACAB1540
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACAB1A30	4_2_000002DFACAB1A30
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000230D343F3D8	6_2_00000230D343F3D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000230D3431A30	6_2_00000230D3431A30
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000230D34371AC	6_2_00000230D34371AC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000230D3431540	6_2_00000230D3431540

Source: 94.159.113.82.dll.dll

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal56.troj.winDLL@10/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03

Source: 94.159.113.82.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\94.159.113.82.dll.dll,Entry

Source: 94.159.113.82.dll.dll

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\94.159.113.82.dll.dll,Entry
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",Entry
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\94.159.113.82.dll.dll,Entry	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",Entry	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 94.159.113.82.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 94.159.113.82.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000143A844BA92 push esp; ret	3_2_00000143A844BA95
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000143A844CB94 push ecx; retf 0000h	3_2_00000143A844CB95
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACABCB94 push ecx; retf 0000h	4_2_000002DFACABCB95
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACAC75CE push ecx; retf 003Fh	4_2_000002DFACAC762E
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002DFACABBA92 push esp; ret	4_2_000002DFACABBA95
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000230D343CB94 push ecx; retf 0000h	6_2_00000230D343CB95
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000230D343BA92 push esp; ret	6_2_00000230D343BA95

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 420

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1

Jump to behavior

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 4.2.rundll32.exe.7ff8e84ec404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ff8e84ec404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8e84ec404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ff8e84ec404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ff8e84ec404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ff8e84ec404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ff8e84a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8e84a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ff8e84a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1454549340.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1425795730.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3336, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 4.2.rundll32.exe.7ff8e84ec404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ff8e84ec404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8e84ec404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ff8e84ec404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ff8e84ec404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ff8e84ec404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.7ff8e84a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8e84a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ff8e84a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1454549340.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1425795730.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5952, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3336, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	11 Virtualization/Sandbox Evasion	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
94.159.113.82.dll.dll	34%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0044.t-0009.fb-t-msedge.net	13.107.253.72	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545965
Start date and time:	2024-10-31 11:03:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	94.159.113.82.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	94.159.113.82.dll.exe
Detection:	MAL
Classification:	mal56.troj.winDLL@10/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 14 Number of non-executed functions: 23
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, ocsp.edge.digicert.com, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 94.159.113.82.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
06:04:30	API Interceptor	1x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	169778715180725424.js	Get hash	malicious	Strela Downloader	Browse	192.229.221.95
	https://invite.bublup.com/q6fU7gLtMrfS	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	27459322381917527648.js	Get hash	malicious	Strela Downloader	Browse	192.229.221.95
	10765717746537784.js	Get hash	malicious	Strela Downloader	Browse	192.229.221.95
	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	new order - PO 351081.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://uslpsz.efkbkot.xyz/e7e68e62c/JV9-MXEwfF9fJSVeKl/8jaSp4fjVfMW/EzJV4vXiNeJHw9OXxufDBAZSp5YzkhdDNlZG8lN0AjJGd-fD8kIXJ8Kg2	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://mindmeters.biz	Get hash	malicious	Unknown	Browse	192.229.221.95
s-part-0044.t-0009.fb-t-msedge.net	https://assets-usa.mkt.dynamics.com/a915fd66-2592-ef11-8a66-00224803a417/digitalassets/standaloneforms/3d7495e3-e695-ef11-8a69-000d3a3501d6	Get hash	malicious	Mamba2FA	Browse	13.107.253.72
	https://www.google.mx/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Biw.%C2%ADgc%C2%ADrvn%C2%ADm0.%C2%ADza%C2%AD.c%E2%80%8Bo%C2%ADm%2Ffylee%2Fimages%2Fsf_rand_string_mixed(24)/toto@dgtresor.gouv.fr	Get hash	malicious	Unknown	Browse	13.107.253.72
	http://demettei.com	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://dzentec-my.sharepoint.com/:u:/g/personal/i_lahmer_entec-dz_com/EdYp5IxQ-uxJivnPAqSzv40BZiCX7sphz7Kj8JDyRBKqpQ?e=wqutC4&xsdata=MDV8MDJ8c2NvdHRkaWF6QGRlbWVpbmVlc3RhdGVzLmNvbXw2YjUyZTY2NWViYzI0M2MxZGE1NjA4ZGNmNzI0NDEwY3xkMTRiYThjYzk2NDI0NzNhYTE0ZWY3NzIxODgzMzJmZXwwfDB8NjM4NjU2OTgyMzMwNDY2MDIzfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=ZnFidXdudm9CbXlMY3MxYTAxVjk3N2plVFdSTHZ5MVlZOGdkRkRZNEUxYz0%3d	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://www.shareholds.com/eur/9fb868a2-97de-4fa6-bb9a-6e2bdc7c734d/99db7d04-72ba-41ea-a52e-2744d29c7f66/e845cf48-2115-4cda-904c-fc80c835df32/login?id=RDhIaE52RURnRGJHRWUzZ21seVc3R2xwMm5BK0k2NjNKbnlRYisvT3JURnNTa0p4Skp6OTRIVjNPa3VFclFOeEFTY2Jub0tIblFrbGo5SUhWb01RRCt4Q3FtaVlNeno4MU8zN2I3bmlveTF0Tm8yM0FOb1J4THRhM1RqNnhyazNHaDFNV3Zoc1RLN2VpV0ZZbUF2MDlWWGZ2Tk5STVpzUDVKaStnT0l0S1BVTlRzZ2lmcXI1Wkh6M1FheGd3Tjh2NVdaTzVOOTRQaVZrTmZrSjRIK3IvU1p4U2doYSsrYmtUOGl1RytpeGthUGFHT1g4UE4rbngvYnhpRXlJRG9oRVRWbUczdEc1ei9ESFJsT2lpZ2JyOFBLNTNoUXdzdVB0QjhVbmRBN1NSSUJYMTkrRnoxbENHSW5lYnJHczBnQytHaDlQSkRib1NTOFNJeTI2WVhCUkg5NGxNNzNMdzBmWktZenhCR2FnaFFaem5zU3FmbUV6WXowVFdOTEFjU3pGVnRjVlNFOHRtVlkvdk9WQjdibXBTNGZFcjUyb1BYTXRhQTRNNnJjbkJtcz0	Get hash	malicious	HTMLPhisher, Microsoft Phishing	Browse	13.107.253.72
	https://onedrive.live.com/redir?resid=A2C259BD24DEB977%211517&authkey=%21AMV6sdjMIZf95vs&page=View&wd=target%28Quick%20Notes.one%7C8266a05f-045a-4cc0-bddc-4debc90069bb%2FNotera%20H6TYD9J4rDFDFECZC-HUYW%7Ca949d04d-b4e2-4509-b99f-d04546199b7b%2F%29&wdorigin=NavigationUrl	Get hash	malicious	Unknown	Browse	13.107.253.72
	ES Ny kontraktsrunda.msg	Get hash	malicious	Unknown	Browse	13.107.253.72
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.253.72
	EXTERNALRoger Moczygemba shared DIRECT MED CLINIC - CONFIDENTIAL with you.msg	Get hash	malicious	Unknown	Browse	13.107.253.72

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.3275976376954555
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	94.159.113.82.dll.dll
File size:	425'984 bytes
MD5:	e32d64da480b63435d9b559e718354d2
SHA1:	aff97210b69e95313c6b28d4bd87346f97b6c637
SHA256:	65bcd99f78a0ef84ada6e7ae4b349a915d08e150e38d76c15ed657cff2d8948c
SHA512:	8e1d0ae4d1537ce18de577674255350dd4bb73f5b2dfb185c9b8b9695c0f081f7e5501da123622528daf13a73943dffc7031d9187a2e00759c13168e5c38e685
SSDEEP:	6144:0zAcM4oqgAcjMPkvfJs3CeTqehGtXLEqNhNuLsYWkqitvqP7UOsX2IX27pxAl6Fo:0AcM5pjFH+CelQtXLEeKLZMPsm7Al0p
TLSH:	6794CF24FC7AD059ECE38072BF29D221D1662E7BDF1D2266A1EC4D404054DEFB52A1BB
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...l1"g.........." ................0-....................................................`........................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180002d30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6722316C [Wed Oct 30 13:15:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
inc ecx
push edi
inc ecx
push esi
inc ecx
push esp
push esi
push edi
push ebp
push ebx
push eax
mov eax, dword ptr [0006670Fh]
inc esp
mov eax, dword ptr [0006670Ch]
inc esp
lea ebx, dword ptr [eax-01h]
inc esp
imul ebx, eax
inc ebp
mov edx, ebx
inc ecx
not edx
inc ebp
mov ecx, edx
inc ecx
and ecx, D2AA348Dh
inc esp
mov edi, edx
inc esp
and edi, ebx
inc esp
mov ebx, ebx
inc ebp
mov edi, ebx
inc ecx
xor edi, 0F184C9Ah
inc ebp
and edi, ebx
inc ecx
and ebx, 2D55CB72h
inc ebp
or ebx, ecx
inc esp
mov eax, ebx
xor eax, 29414802h
inc ecx
xor ebx, D2AA348Dh
mov ecx, edi
not ecx
inc esp
mov ebp, ebx
and ebp, 161C9371h
and eax, E9E36C8Eh
or eax, ebp
inc ecx
or ebx, ecx
and ecx, 161C9371h
and edi, E9E36C8Eh
or edi, ecx
xor edi, eax
inc ecx
not ebx
inc ecx
or ebx, edi
inc esp
mov eax, ebx
not eax
and eax, 42B35279h
inc ecx
and ebx, BD4CAD86h
inc ecx
or ebx, eax
inc esp
mov eax, ebx
and eax, 01h
inc ecx
xor ebx, BD4CAD87h
inc ecx
or ebx, eax
inc esp
mov eax, ebx
not eax
inc esp
mov ecx, edx
and ecx, BB0EB11Ah
and ebx, 44F14EE5h
or ebx, ecx
mov edx, ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4b000	0x47	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x60	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x49fa7	0x4a000	fdb8918e6430ea5398fae9c2144872af	False	0.6443266997466216	data	6.792587224644498	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4b000	0x108	0x200	308a0ae10b14504162d1d14cd1c21df1	False	0.298828125	data	3.0907339362177764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4c000	0x1d498	0x1d600	0c51fb4af0fddb6e9b0ca1ca23212a38	False	0.8658909574468086	data	7.729026462495868	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x60	0x200	4991a695e7c4be8f5933ff807bbdd21c	False	0.177734375	PEX Binary Archive	1.1106520083640667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6b000	0x1a8	0x200	a3e915e0923731bd5fc6ef6d5ff6d820	False	0.486328125	data	4.190620030451981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x6b060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Exports

Name	Ordinal	Address
Entry	1	0x180001010

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 11:04:23.324624062 CET	1.1.1.1	192.168.2.9	0x4159	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:04:23.324624062 CET	1.1.1.1	192.168.2.9	0x4159	No error (0)	dual.s-part-0044.t-0009.fb-t-msedge.net	s-part-0044.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:04:23.324624062 CET	1.1.1.1	192.168.2.9	0x4159	No error (0)	s-part-0044.t-0009.fb-t-msedge.net		13.107.253.72	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:04:44.942229033 CET	1.1.1.1	192.168.2.9	0xca78	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:04:44.942229033 CET	1.1.1.1	192.168.2.9	0xca78	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 2808, Parent PID: 3504

General

Target ID:	0
Start time:	06:04:27
Start date:	31/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll"
Imagebase:	0x7ff6b65f0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2136, Parent PID: 2808

General

Target ID:	1
Start time:	06:04:27
Start date:	31/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3132, Parent PID: 2808

General

Target ID:	2
Start time:	06:04:27
Start date:	31/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1
Imagebase:	0x7ff7edca0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5952, Parent PID: 2808

General

Target ID:	3
Start time:	06:04:27
Start date:	31/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\94.159.113.82.dll.dll,Entry
Imagebase:	0x7ff7dd3b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4476, Parent PID: 3132

General

Target ID:	4
Start time:	06:04:27
Start date:	31/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",#1
Imagebase:	0x7ff7dd3b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1425795730.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 3336, Parent PID: 2808

General

Target ID:	6
Start time:	06:04:30
Start date:	31/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\94.159.113.82.dll.dll",Entry
Imagebase:	0x7ff7dd3b0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000006.00000002.1454549340.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: rundll32.exePID: 5952, Parent PID: 2808COMMON

Execution Graph

Execution Coverage:	22.3%
Dynamic/Decrypted Code Coverage:	84%
Signature Coverage:	16%
Total number of Nodes:	25
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF8E84A3330 Relevance: 62.0, APIs: 1, Strings: 27, Instructions: 20001COMMON

Download Yara Rule

Strings

H[@H, xrefs: 00007FF8E84C254F
?d*, xrefs: 00007FF8E84C4D07
f|+u, xrefs: 00007FF8E84B3F20
LTc-, xrefs: 00007FF8E84AE206
LTc-, xrefs: 00007FF8E84C1C25
?d*, xrefs: 00007FF8E84C4D1D
?d*, xrefs: 00007FF8E84ACE41
-,l, xrefs: 00007FF8E84BBED1
YbUw, xrefs: 00007FF8E84A5784
YbUw, xrefs: 00007FF8E84B6C4A
,,l, xrefs: 00007FF8E84A47DB
f{:n}, xrefs: 00007FF8E84BA6BC
?d*, xrefs: 00007FF8E84AEDEC
LTc-, xrefs: 00007FF8E84B3596
-,l, xrefs: 00007FF8E84A47FC
f|+u, xrefs: 00007FF8E84BE11A
5\cl, xrefs: 00007FF8E84C03DE
+pP, xrefs: 00007FF8E84B569D
5\cl, xrefs: 00007FF8E84AE931
-,l, xrefs: 00007FF8E84BBEE1
Sax!, xrefs: 00007FF8E84C1BDC
+pP, xrefs: 00007FF8E84A3961
5\cl, xrefs: 00007FF8E84A967C
YbUw, xrefs: 00007FF8E84BA398
Sax!, xrefs: 00007FF8E84A558F
+pP, xrefs: 00007FF8E84A3982
H[@H, xrefs: 00007FF8E84AE9FD

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,,l$-,l$-,l$-,l$5\cl$5\cl$5\cl$H[@H$H[@H$LTc-$LTc-$LTc-$Sax!$Sax!$YbUw$YbUw$YbUw$f{:n}$f|+u$f|+u$+pP$+pP$+pP$?d*$?d*$?d*$?d*
API String ID: 0-3994297466
Opcode ID: 25c2f33aa9478bde86dd6623c9eb8a2061181ed5676b0cc15c3b8e2767726043
Instruction ID: b24831de404775a87c03f00531ba488c91a144a15af6d53a534c8a93177d867f
Opcode Fuzzy Hash: 25c2f33aa9478bde86dd6623c9eb8a2061181ed5676b0cc15c3b8e2767726043
Instruction Fuzzy Hash: 9844086BFB59110BFB0CC9B68DA23EB4BC353E5359F1AF4395906D7296DC7E884A0204

Function 00000143A8442080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00000143A84420B3

Strings

5, xrefs: 00000143A8442153

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: 5
API String ID: 2422867632-2226203566
Opcode ID: fec50be18cec05fb1f2d2de2c440bef84976441ada21ca2d20ea2fb0305f6d76
Instruction ID: 6daa9c8f620e2d131226814a4c8483425737dd2d8254eb7a24db4cafa99b62ed
Opcode Fuzzy Hash: fec50be18cec05fb1f2d2de2c440bef84976441ada21ca2d20ea2fb0305f6d76
Instruction Fuzzy Hash: 8A2190712546448BE709EF70D88A6EAB7E1FBA4301F60452EF097D71B2EE3986458702

Function 00000143A8441000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 00000143A844104B

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 0177a58ad0feb6b794dd3b4ec03ae6edbb9575ae31101b3539175058fe829bc5
Instruction ID: 84fffd3b54b9933392a5adc8f0b2ddc9640f9e7c910cccf91d95081221d61f3a
Opcode Fuzzy Hash: 0177a58ad0feb6b794dd3b4ec03ae6edbb9575ae31101b3539175058fe829bc5
Instruction Fuzzy Hash: E40162705086848FFB06EB28D898BD677E1F768301F108569E0CAD72A5DEBD8658C751

Function 00000143A8446E58 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,00000143A8446E54), ref: 00000143A8446E83

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bf6664ce3ce6688347f466b549bb248f323f25cd8840df242701a1179d4e4307
Instruction ID: f0b1c97a790f3cd36418a869d7e9aea7edcb985fa1e6026b92bca8da7e28dcd1
Opcode Fuzzy Hash: bf6664ce3ce6688347f466b549bb248f323f25cd8840df242701a1179d4e4307
Instruction Fuzzy Hash: F6D017347402040BFE5CBBB599983A92696CB65301F3018387992CB6E3CD3C8A088642

Function 00000143A8442050 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00000143A844206A

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 4c2fd0a914b7ba21d3acfa36acad50b2e0ddb8d668cb0b05972da9b0caa7b8c6
Instruction ID: c092d3f5cc9ad05945e7761e4822e93b8ddb175e52b7450221b7c49769eb2abf
Opcode Fuzzy Hash: 4c2fd0a914b7ba21d3acfa36acad50b2e0ddb8d668cb0b05972da9b0caa7b8c6
Instruction Fuzzy Hash: 75C0123011140946E708BB34EC595E132A8FB8C301FD185359407C6450E96D81885B82

Non-executed Functions

Function 00007FF8E84CF000 Relevance: 36.3, Strings: 13, Instructions: 20001COMMON

Download Yara Rule

Strings

UyG@, xrefs: 00007FF8E84E134B
'nKq, xrefs: 00007FF8E84DEAE1
TyG@, xrefs: 00007FF8E84DD5BE
n|Y, xrefs: 00007FF8E84DDAB8
'nKq, xrefs: 00007FF8E84DF068
,=&s, xrefs: 00007FF8E84DD8DF
n|Y, xrefs: 00007FF8E84DF531
,=&s, xrefs: 00007FF8E84DD5F4
n|Y, xrefs: 00007FF8E84DD18E
,=&s, xrefs: 00007FF8E84D84C4
n|Y, xrefs: 00007FF8E84E1067
UyG@, xrefs: 00007FF8E84DD5CA
'nKq, xrefs: 00007FF8E84DFE42

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'nKq$'nKq$'nKq$,=&s$,=&s$,=&s$TyG@$UyG@$UyG@$n|Y$n|Y$n|Y$n|Y
API String ID: 0-114208488
Opcode ID: a4e7e06349bf808e6aaef3c30c32d5b9d9932c729c6e3bc24c70a987921a05f2
Instruction ID: 979ae5a3a1d9d2bcf45401181419989ed92a6aeccd3a8a7d3c72e720522687d7
Opcode Fuzzy Hash: a4e7e06349bf808e6aaef3c30c32d5b9d9932c729c6e3bc24c70a987921a05f2
Instruction Fuzzy Hash: DA4466ABBF57190AEB1099F689817DB7BC293A5358F1B74385E00D7613E8FEDC492240

Function 00007FF8E84C96B0 Relevance: 28.3, Strings: 18, Instructions: 5822
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4%, xrefs: 00007FF8E84CD94E
4%, xrefs: 00007FF8E84CC28C
4%, xrefs: 00007FF8E84CD985
4%, xrefs: 00007FF8E84CA3C1
4%, xrefs: 00007FF8E84CCEEE
4%, xrefs: 00007FF8E84C9700
4%, xrefs: 00007FF8E84CD99A
!4%, xrefs: 00007FF8E84CC255
4%, xrefs: 00007FF8E84CB145
!4%, xrefs: 00007FF8E84CC265
4%, xrefs: 00007FF8E84CD963
4%, xrefs: 00007FF8E84C9B96
!4%, xrefs: 00007FF8E84CCEE9
4%, xrefs: 00007FF8E84CA499
4%, xrefs: 00007FF8E84CCED9
4%, xrefs: 00007FF8E84CE1F8
4%, xrefs: 00007FF8E84CA463
!4%, xrefs: 00007FF8E84C9721

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$ 4%$!4%$!4%$!4%$!4%
API String ID: 0-302812754
Opcode ID: b7dfd2572995f458074e6c517d4f4a9144ff4208f9255b60967fd99ff7b54782
Instruction ID: c0dce2b755a37956ac54be705aff4191db547c85c6c542be961051ecf0da1fb3
Opcode Fuzzy Hash: b7dfd2572995f458074e6c517d4f4a9144ff4208f9255b60967fd99ff7b54782
Instruction Fuzzy Hash: BF737D6BFF56041AFB1089B68A857DB6BD353A5358F1BB4349E04D7323E8BED84A1240

Function 00007FF8E84E1420 Relevance: 17.6, Strings: 6, Instructions: 10109COMMON

Download Yara Rule

Strings

@G1, xrefs: 00007FF8E84E3845
',/\, xrefs: 00007FF8E84E543C
@G1, xrefs: 00007FF8E84E382F
@G1, xrefs: 00007FF8E84E1A93
',/\, xrefs: 00007FF8E84E66E9
',/\, xrefs: 00007FF8E84E2942

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: @G1$@G1$@G1$',/\$',/\$',/\
API String ID: 0-999703189
Opcode ID: 9a9157d99710c5bb047f186d2b8deb4e1adaff335d204ccaccdff04718ee4737
Instruction ID: b3b08efdbd83036d057e4946b9c8caae37e2a35e87aa7391aeae8bc9d2796b71
Opcode Fuzzy Hash: 9a9157d99710c5bb047f186d2b8deb4e1adaff335d204ccaccdff04718ee4737
Instruction Fuzzy Hash: 99D33A6BFB5A150BFB0CC8B69DA23EB57C353E1318F1AF4395906C7296DCBE88491244

Function 00007FF8E84E9890 Relevance: 8.9, Strings: 6, Instructions: 1380COMMON

Download Yara Rule

Strings

@}, xrefs: 00007FF8E84EA53A
$vO`, xrefs: 00007FF8E84E9BF5
@}, xrefs: 00007FF8E84E9CD3
+,Rr, xrefs: 00007FF8E84EA85C
+,Rr, xrefs: 00007FF8E84EA24C
$vO`, xrefs: 00007FF8E84EA362

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $vO`$$vO`$+,Rr$+,Rr$@}$@}
API String ID: 0-4243004784
Opcode ID: 374e23b437ea78a890d7d56343eda0ceaaed1df76908d37c21a0757807995875
Instruction ID: c608043ada52139f5caab7edd7a63ea556689c539b9e753e1d7adf45830b56f2
Opcode Fuzzy Hash: 374e23b437ea78a890d7d56343eda0ceaaed1df76908d37c21a0757807995875
Instruction Fuzzy Hash: 42A24D72B5C2424BEB3089699180BBF6BD1E754398F116031DB498BBD2CB7DECD89B05

Function 00007FF8E84CE220 Relevance: 3.4, Strings: 2, Instructions: 948
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

FIDo, xrefs: 00007FF8E84CEC83
FIDo, xrefs: 00007FF8E84CE5E6

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: FIDo$FIDo
API String ID: 0-2295895458
Opcode ID: 76bf83e0f9d15f89800d96bc67aec44f6a24a0c9b90c119a6afcc87a74c4f547
Instruction ID: 2c1e0b59a75572e6753c4a907a738778997ebee709fdbc206603d1ccbc3b588f
Opcode Fuzzy Hash: 76bf83e0f9d15f89800d96bc67aec44f6a24a0c9b90c119a6afcc87a74c4f547
Instruction Fuzzy Hash: 8962BC67BA86011BFF248975C1803EF2BD2E791388F25B434DE4987B66DB7DE8495B00

Function 00000143A844F3D8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00000143A844F627

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 09a635efb40557e66d19d789cd03176a2828270b47717be0ddc9dc138ea1ed53
Instruction ID: 0567a6f5e25a852719426537a32c296387f99ff7f26d7b19a3bd298deacfe8d1
Opcode Fuzzy Hash: 09a635efb40557e66d19d789cd03176a2828270b47717be0ddc9dc138ea1ed53
Instruction Fuzzy Hash: 13C15E31510A4D8FEB9DDF1CC48AB9577E0FB69304F258599E8A9CB2B2C335D952CB01

Function 00007FF8E84E145B Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261e522a800823edeadb38c00b9b95b250f8c2e9b563d41526eb5dd2f4eee498
Instruction ID: cfe9dd521586e04fb3882c16a954efd272021a71d0945fe93674adba91f1afad
Opcode Fuzzy Hash: 261e522a800823edeadb38c00b9b95b250f8c2e9b563d41526eb5dd2f4eee498
Instruction Fuzzy Hash: 8CD11A6BBE56100BEF0C88B689E23E75BC353E6358F1BF4399905C7296D8BE9C4E5104

Function 00007FF8E84A2D30 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1425108083.00007FF8E84A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8E84A0000, based on PE: true

Associated: 00000003.00000002.1425093844.00007FF8E84A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425154660.00007FF8E84EB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425171612.00007FF8E84EC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1425194662.00007FF8E850B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff8e84a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82af362a0954b65281fab3dbfc4bd730a4a5dfcadb2df4e7435bf0d1f38c720e
Instruction ID: 361b28d38ee2f353d3a8c187848c4c24e19c1580f54a6c4594a7eb7c7da3cae9
Opcode Fuzzy Hash: 82af362a0954b65281fab3dbfc4bd730a4a5dfcadb2df4e7435bf0d1f38c720e
Instruction Fuzzy Hash: 45D19ABBB7950007FB09897658A33FB5BC3639531DF1AB839AD06D7291E9BDDC490204

Function 00000143A8441540 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb6ef0740fca4777ef060016385f250c52519df02de5653defd5d9bfbafd29e
Instruction ID: 6c331eb5b07d51ecacc1b21332a889cdbe223d2cb48353b501abe3f4ddf553f2
Opcode Fuzzy Hash: beb6ef0740fca4777ef060016385f250c52519df02de5653defd5d9bfbafd29e
Instruction Fuzzy Hash: 06E13470558B488FE769EF18D8897EA77E1FB98305F20462EE48EC3161DF349645CB82

Function 00000143A8441A30 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f432bef4d8a1500742c93c345c90908278f3b425d70456be5894f74d0482f2c
Instruction ID: 226e880602076ab9de0eb9cb600777f993259328ca4843f79da16a79ac43b792
Opcode Fuzzy Hash: 1f432bef4d8a1500742c93c345c90908278f3b425d70456be5894f74d0482f2c
Instruction Fuzzy Hash: BAB1A971258A494FEB69EF24DC597FA73E1FBA4301F20422ED49BC31A1DF349A058B81

Function 00000143A84471AC Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e9beff2eaa7c7f876a80ef3703abb4a76fb9d45624bea63be5c4672b97ae7c
Instruction ID: c65be6fc5b5884ed8b0de5cae7c8e0fc202938b9e2cc94f6a545c6d04c893b2c
Opcode Fuzzy Hash: 90e9beff2eaa7c7f876a80ef3703abb4a76fb9d45624bea63be5c4672b97ae7c
Instruction Fuzzy Hash: 04512632318E0C4FDB0CDF6CE4996B573D2F7AC310B25822EE44AC72A6DA70D9468781

Function 00000143A8443FA0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000143A8443FFC

Part of subcall function 00000143A8444F44: __GetUnwindTryBlock.LIBCMT ref: 00000143A8444F87
Part of subcall function 00000143A8444F44: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000143A8444FAC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000143A84440D4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000143A8444323
std::bad_alloc::bad_alloc.LIBCMT ref: 00000143A844442F

Strings

csm, xrefs: 00000143A844407D
csm, xrefs: 00000143A8444016
csm, xrefs: 00000143A84440F7

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: bda51bc3a0357f57d772c211ceca0e07ff0350a93b45b89eafa1cc507aec3172
Instruction ID: b71ec4d7fc63b3b9f2b1f388fd8d3d41528b15cb4d5860276f63104eecbebe31
Opcode Fuzzy Hash: bda51bc3a0357f57d772c211ceca0e07ff0350a93b45b89eafa1cc507aec3172
Instruction Fuzzy Hash: B8F18830559B088FEB58EF58D445BE977E0FB64710F70065EE49AD32A6DB30DA41CB82

Function 00000143A8444820 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000143A8444848
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000143A8444930

Strings

csm, xrefs: 00000143A844486A
csm, xrefs: 00000143A8444982

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1d2698259a612f2ee7ff18fa5726e536797fed5dba793eddb852fdfecdc1ddd2
Instruction ID: f0d7c9e99464e87aa68f07a135625cb88bacb0175a04574437db7bc7cd551133
Opcode Fuzzy Hash: 1d2698259a612f2ee7ff18fa5726e536797fed5dba793eddb852fdfecdc1ddd2
Instruction Fuzzy Hash: 8D719130695B448FEBACDF2880487A4B3D0FB64315F74425E94EAD76E2CB70DA80C746

Function 00000143A8442BE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000143A8442C0B
_IsNonwritableInCurrentImage.LIBCMT ref: 00000143A8442CA2

Strings

csm, xrefs: 00000143A8442C89

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: d6c1345f67480e357b279f855e56577cf3eeb2642f55a01c02fffb8b22a130ce
Instruction ID: 819361409ff65be934f76c6a3a105b0884599524406506315f3bdadfdd541b7c
Opcode Fuzzy Hash: d6c1345f67480e357b279f855e56577cf3eeb2642f55a01c02fffb8b22a130ce
Instruction Fuzzy Hash: 5F711770248E198BEF2CEE1CE485BB473D1FB64350F30416DE8D6C32A6EA72E9518785

Function 00000143A8444470 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000143A844451B

Strings

MOC, xrefs: 00000143A84444E3
RCC, xrefs: 00000143A84444EB

Memory Dump Source

Source File: 00000003.00000002.1425025961.00000143A8441000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000143A8441000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_143a8441000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: defcd56cab28add25d698ecca6325f30bff9252b91cf191f8f0c67d00d085a97
Instruction ID: a07cac90da68fbffea6d651b189f294dfec4de21cbe22293ee9246f7e9b266ba
Opcode Fuzzy Hash: defcd56cab28add25d698ecca6325f30bff9252b91cf191f8f0c67d00d085a97
Instruction Fuzzy Hash: 5471C830518B488FE768DF58C446BE5B7E0FBA8700F244A5EE4D9C3162D774E581CB82

Analysis Process: rundll32.exePID: 4476, Parent PID: 3132COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	4

Executed Functions

Function 000002DFACAB2080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000002DFACAB20B3

Strings

5, xrefs: 000002DFACAB2153

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: 5
API String ID: 2422867632-2226203566
Opcode ID: fec50be18cec05fb1f2d2de2c440bef84976441ada21ca2d20ea2fb0305f6d76
Instruction ID: 425da2bf2a97ffc9ec10701d8dca2fc5504948912c5099cbf190b3b48da3e5e1
Opcode Fuzzy Hash: fec50be18cec05fb1f2d2de2c440bef84976441ada21ca2d20ea2fb0305f6d76
Instruction Fuzzy Hash: F821B0752146448BE784EF70DA9D2FA77E1FB94301F404A3FF14BDA1A2EE3889048706

Function 000002DFACABA76C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000002DFACABA7FB

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 88ec0ce35036a5a1fbcf623ebc041bb5733b6e3fce95a42db7acf307199213a2
Instruction ID: da26a10b7e43c94bb91a73a832195bce59ed259b03499e4ff01bb140417a2273
Opcode Fuzzy Hash: 88ec0ce35036a5a1fbcf623ebc041bb5733b6e3fce95a42db7acf307199213a2
Instruction Fuzzy Hash: 7131EE34408E195EE7E5DF2CC4A86B4B6D0FB19360F64035AE45BEB2E4CA34DCA2C785

Function 000002DFACAB1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000002DFACAB104B

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 0177a58ad0feb6b794dd3b4ec03ae6edbb9575ae31101b3539175058fe829bc5
Instruction ID: 376d03362cc7fac2f3289893764aed02a0a0143420e782f5090dacf0d4e051db
Opcode Fuzzy Hash: 0177a58ad0feb6b794dd3b4ec03ae6edbb9575ae31101b3539175058fe829bc5
Instruction Fuzzy Hash: 740144305085448FFB46AB28D998BE677A1F768305F008569E0CAD72A5DE7C8A58C741

Function 000002DFACAB6E58 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000002DFACAB6E54), ref: 000002DFACAB6E83

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bf6664ce3ce6688347f466b549bb248f323f25cd8840df242701a1179d4e4307
Instruction ID: 4d24652e14d0511c5274f4a5f1102bad9aa14b6b1275fde5bc129abe09b881ac
Opcode Fuzzy Hash: bf6664ce3ce6688347f466b549bb248f323f25cd8840df242701a1179d4e4307
Instruction Fuzzy Hash: 7BD017287002040BEA9C7BB4DAEC3792662CB45201F041839B90BCB6E3CD399C048746

Function 000002DFACAB2050 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000002DFACAB206A

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 4c2fd0a914b7ba21d3acfa36acad50b2e0ddb8d668cb0b05972da9b0caa7b8c6
Instruction ID: c092d3f5cc9ad05945e7761e4822e93b8ddb175e52b7450221b7c49769eb2abf
Opcode Fuzzy Hash: 4c2fd0a914b7ba21d3acfa36acad50b2e0ddb8d668cb0b05972da9b0caa7b8c6
Instruction Fuzzy Hash: 75C0123011140946E708BB34EC595E132A8FB8C301FD185359407C6450E96D81885B82

Non-executed Functions

Function 000002DFACAB3FA0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002DFACAB3FFC

Part of subcall function 000002DFACAB4F44: __GetUnwindTryBlock.LIBCMT ref: 000002DFACAB4F87
Part of subcall function 000002DFACAB4F44: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002DFACAB4FAC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002DFACAB40D4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002DFACAB4323
std::bad_alloc::bad_alloc.LIBCMT ref: 000002DFACAB442F

Strings

csm, xrefs: 000002DFACAB4016
csm, xrefs: 000002DFACAB407D
csm, xrefs: 000002DFACAB40F7

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: bda51bc3a0357f57d772c211ceca0e07ff0350a93b45b89eafa1cc507aec3172
Instruction ID: 2e66b7b2ebd788b20b10b67e0a3eaa0f9b997779a8c42d920d5d1048fd517757
Opcode Fuzzy Hash: bda51bc3a0357f57d772c211ceca0e07ff0350a93b45b89eafa1cc507aec3172
Instruction Fuzzy Hash: 0FF15E34518B088BEB94EF68D5597B9B7E0FB59310F54066EE44ECB292DB30DC81CB86

Function 000002DFACAB4820 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002DFACAB4848
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002DFACAB4930

Strings

csm, xrefs: 000002DFACAB4982
csm, xrefs: 000002DFACAB486A

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1d2698259a612f2ee7ff18fa5726e536797fed5dba793eddb852fdfecdc1ddd2
Instruction ID: 1b2cd2745b1367e833901a31049f21ef5756ca7561df76fcb98b396f467bd4b8
Opcode Fuzzy Hash: 1d2698259a612f2ee7ff18fa5726e536797fed5dba793eddb852fdfecdc1ddd2
Instruction Fuzzy Hash: C1715E34614A498BEBE89B58C16C374B7D1FB58311F64427F949ECA692CF70DC80C74A

Function 000002DFACAB2BE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002DFACAB2C0B
_IsNonwritableInCurrentImage.LIBCMT ref: 000002DFACAB2CA2

Strings

csm, xrefs: 000002DFACAB2C89

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: d6c1345f67480e357b279f855e56577cf3eeb2642f55a01c02fffb8b22a130ce
Instruction ID: 99ca3458fff3d23582d8663ab1e64b13f10c5c33c30a53bd2f064f79fa86aedc
Opcode Fuzzy Hash: d6c1345f67480e357b279f855e56577cf3eeb2642f55a01c02fffb8b22a130ce
Instruction Fuzzy Hash: 2471C534208A098BEBA8AE5CD59977477D1FB54350F10427FE88BCB296EA31EC518789

Function 000002DFACAB4470 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002DFACAB451B

Strings

RCC, xrefs: 000002DFACAB44EB
MOC, xrefs: 000002DFACAB44E3

Memory Dump Source

Source File: 00000004.00000002.1425671249.000002DFACAB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002DFACAB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2dfacab1000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: defcd56cab28add25d698ecca6325f30bff9252b91cf191f8f0c67d00d085a97
Instruction ID: 706fdb6c6358967835eb8e8b22c81cdf1291d547621d7aab021fe9a30ac1b285
Opcode Fuzzy Hash: defcd56cab28add25d698ecca6325f30bff9252b91cf191f8f0c67d00d085a97
Instruction Fuzzy Hash: 4B719330518B488FE7A4DF18C55A7A9B7E0FB99300F144A6EE48EC7151DB74ED81C786

Analysis Process: rundll32.exePID: 3336, Parent PID: 2808COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	2

Executed Functions

Function 00000230D3432080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00000230D34320B3

Strings

5, xrefs: 00000230D3432153

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: 5
API String ID: 2422867632-2226203566
Opcode ID: fec50be18cec05fb1f2d2de2c440bef84976441ada21ca2d20ea2fb0305f6d76
Instruction ID: 1efcb70095475473116f4d4b5ea59cd28590f4ec7a066c230679fa8702cfdc4c
Opcode Fuzzy Hash: fec50be18cec05fb1f2d2de2c440bef84976441ada21ca2d20ea2fb0305f6d76
Instruction Fuzzy Hash: A421AE712546488BE744FBB0D89D2EA77E1FB95301F50456AF047D66A2EE3CE604C712

Function 00000230D3431000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 00000230D343104B

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 0177a58ad0feb6b794dd3b4ec03ae6edbb9575ae31101b3539175058fe829bc5
Instruction ID: 81d751778c677dd425bfc2d7c95b0bf93758de6a38b85342db6ed8fae4dd191e
Opcode Fuzzy Hash: 0177a58ad0feb6b794dd3b4ec03ae6edbb9575ae31101b3539175058fe829bc5
Instruction Fuzzy Hash: 150144315086488FFB06AB68D8DCBD676E1F769301F008569A0CAD72A5DE7CC658C751

Function 00000230D3436E58 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,00000230D3436E54), ref: 00000230D3436E83

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: bf6664ce3ce6688347f466b549bb248f323f25cd8840df242701a1179d4e4307
Instruction ID: 62b9b29bf7981675c229a7b136e85a77c8c84831f741765484aadb564e125d7d
Opcode Fuzzy Hash: bf6664ce3ce6688347f466b549bb248f323f25cd8840df242701a1179d4e4307
Instruction Fuzzy Hash: 17D017207412090BEA587BF499EE3292696CB46211F0018787902CBAE3CD3DEA088652

Function 00000230D3432050 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00000230D343206A

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 4c2fd0a914b7ba21d3acfa36acad50b2e0ddb8d668cb0b05972da9b0caa7b8c6
Instruction ID: c092d3f5cc9ad05945e7761e4822e93b8ddb175e52b7450221b7c49769eb2abf
Opcode Fuzzy Hash: 4c2fd0a914b7ba21d3acfa36acad50b2e0ddb8d668cb0b05972da9b0caa7b8c6
Instruction Fuzzy Hash: 75C0123011140946E708BB34EC595E132A8FB8C301FD185359407C6450E96D81885B82

Non-executed Functions

Function 00000230D3433FA0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000230D3433FFC

Part of subcall function 00000230D3434F44: __GetUnwindTryBlock.LIBCMT ref: 00000230D3434F87
Part of subcall function 00000230D3434F44: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000230D3434FAC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000230D34340D4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000230D3434323
std::bad_alloc::bad_alloc.LIBCMT ref: 00000230D343442F

Strings

csm, xrefs: 00000230D34340F7
csm, xrefs: 00000230D3434016
csm, xrefs: 00000230D343407D

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: bda51bc3a0357f57d772c211ceca0e07ff0350a93b45b89eafa1cc507aec3172
Instruction ID: 7b43e49062b3d754d20867cd09b70d221547ce4720107e2b4bac6fc2670e0390
Opcode Fuzzy Hash: bda51bc3a0357f57d772c211ceca0e07ff0350a93b45b89eafa1cc507aec3172
Instruction Fuzzy Hash: 53F16130558B0C8BEB54EFA8C4997E977E0FB59310F5005ADE449C7692DB3CEA81CB92

Function 00000230D3434820 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000230D3434848
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000230D3434930

Strings

csm, xrefs: 00000230D343486A
csm, xrefs: 00000230D3434982

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1d2698259a612f2ee7ff18fa5726e536797fed5dba793eddb852fdfecdc1ddd2
Instruction ID: dbbdf9ccc864d1ee4cc1c850996e919f0366003410048db951aa166f745886a1
Opcode Fuzzy Hash: 1d2698259a612f2ee7ff18fa5726e536797fed5dba793eddb852fdfecdc1ddd2
Instruction Fuzzy Hash: 66717130558A4D8BEBA8DB6880ED3A877D1FF54311F5442AE9499C7BD2C73CE980CB52

Function 00000230D3432BE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000230D3432C0B
_IsNonwritableInCurrentImage.LIBCMT ref: 00000230D3432CA2

Strings

csm, xrefs: 00000230D3432C89

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: d6c1345f67480e357b279f855e56577cf3eeb2642f55a01c02fffb8b22a130ce
Instruction ID: 602f5051d62de544f01ab369ee14467ca210fac3b99ebbba529068d6223a8a07
Opcode Fuzzy Hash: d6c1345f67480e357b279f855e56577cf3eeb2642f55a01c02fffb8b22a130ce
Instruction Fuzzy Hash: 0971F730248A0D8BEF68EE9CD4D977873D1FB54390F1041ADE886C3696EA3DF9518791

Function 00000230D3434470 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000230D343451B

Strings

MOC, xrefs: 00000230D34344E3
RCC, xrefs: 00000230D34344EB

Memory Dump Source

Source File: 00000006.00000002.1454406762.00000230D3431000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D3431000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_230d3431000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: defcd56cab28add25d698ecca6325f30bff9252b91cf191f8f0c67d00d085a97
Instruction ID: 9d274e90a92a2f48768fac8bd3df831fdbbd1077340b908e1241efab2d7ecb30
Opcode Fuzzy Hash: defcd56cab28add25d698ecca6325f30bff9252b91cf191f8f0c67d00d085a97
Instruction Fuzzy Hash: A371B230558B4C8FE764DF58C4967A9B7E0FB98300F044A9EE489C3661DB7CE681CB92

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 94.159.113.82.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 2808, Parent PID: 3504

General

Chronological Activities

Analysis Process: conhost.exePID: 2136, Parent PID: 2808

General

Chronological Activities

Analysis Process: cmd.exePID: 3132, Parent PID: 2808

Windows Analysis Report
94.159.113.82.dll.dll

Function 00000143A8442080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
threadCOMMON

Function 00000143A8441000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 00000143A8446E58 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 00000143A8442050 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 00007FF8E84C96B0 Relevance: 28.3, Strings: 18, Instructions: 5822
COMMON

Function 00007FF8E84CE220 Relevance: 3.4, Strings: 2, Instructions: 948
COMMON

Function 00000143A8443FA0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 00000143A8444820 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 00000143A8442BE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 00000143A8444470 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 000002DFACAB2080 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
threadCOMMON

Function 000002DFACABA76C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 000002DFACAB1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 000002DFACAB6E58 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 000002DFACAB2050 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 000002DFACAB3FA0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 000002DFACAB4820 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 000002DFACAB2BE0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 000002DFACAB4470 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON