Edit tour
Windows
Analysis Report
rU7laIXI5D.exe
Overview
General Information
| Sample name: | rU7laIXI5D.exerenamed because original name is a hash value |
| Original sample name: | 389a3651a3fb8c5a51f0f0d14848b62ecd4028df.exe |
| Analysis ID: | 1546808 |
| MD5: | c2066aea51ee5eedd9790378151f52da |
| SHA1: | 389a3651a3fb8c5a51f0f0d14848b62ecd4028df |
| SHA256: | 7195e707c8af0b316fe7d3bc0a74dcce3736f6ad7df7a07bcefb22701252c741 |
| Tags: | exeReversingLabsuser-NDA0E |
| Infos: |   |
 | |
Detection
Blihan Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Blihan Stealer
Creates an autostart registry key pointing to binary in C:\Windows
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
PE file contains sections with non-standard names
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
rU7laIXI5D.exe (PID: 4884 cmdline: "C:\Users\ user\Deskt op\rU7laIX I5D.exe" MD5: C2066AEA51EE5EEDD9790378151F52DA) - microsofthelp.exe (PID: 6232 cmdline:
"C:\Window s\microsof thelp.exe" MD5: FDB9ABFB08DBA6EDA764C4E18070B285)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| Click to see the 2 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| JoeSecurity_BlihanStealer | Yara detected Blihan Stealer | Joe Security | ||
| Click to see the 1 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-01T16:04:57.032925+0100 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.6 | 49816 | TCP |
| 2024-11-01T16:05:34.763746+0100 | 2022930 | 1 | A Network Trojan was detected | 52.149.20.212 | 443 | 192.168.2.6 | 49979 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00401C80 | |
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Code function: | 0_2_004017C0 | |
System Summary | |
|---|
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Mutant created: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | ReversingLabs: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Code function: | 0_2_00401510 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_004041EE | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
Persistence and Installation Behavior | |
|---|
| Source: | Executable created and started: | Jump to behavior | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival | |
|---|
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
| Source: | Registry value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection | |
|---|
| Source: | File deleted: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | Evasive API call chain: | graph_0-1662 | ||
| Source: | Code function: | 0_2_00401CC0 | |
| Source: | Evasive API call chain: | graph_0-1702 | ||
| Source: | Evasive API call chain: | graph_0-1876 | ||
| Source: | Code function: | 0_2_00401C80 | |
| Source: | API call chain: | graph_0-1664 | ||
| Source: | API call chain: | graph_0-1895 | ||
| Source: | Code function: | 0_2_00401510 | |
| Source: | Code function: | 0_2_00401000 | |
| Source: | Code function: | 0_2_00402D5E | |
| Source: | Code function: | 0_2_00402D70 | |
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 12 Native API | 11 Registry Run Keys / Startup Folder | 1 Process Injection | 12 Masquerading | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 11 Registry Run Keys / Startup Folder | 1 Process Injection | LSASS Memory | 1 System Network Configuration Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 2 Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 Software Packing | NTDS | 1 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 File Deletion | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 92% | ReversingLabs | Win32.Trojan.Blihan | ||
| 100% | Avira | TR/Downloader.Gen | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Downloader.Gen | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | 13.107.246.45 | true | false | unknown |
⊘No contacted IP infos
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1546808 |
| Start date and time: | 2024-11-01 16:03:36 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 5s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | rU7laIXI5D.exerenamed because original name is a hash value |
| Original Sample Name: | 389a3651a3fb8c5a51f0f0d14848b62ecd4028df.exe |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@3/1@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
- VT rate limit hit for: rU7laIXI5D.exe
| Time | Type | Description |
|---|---|---|
| 16:04:43 | Autostart | |
| 16:05:03 | Autostart |
⊘No context
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| s-part-0017.t-0009.t-msedge.net | Get hash | malicious | Unknown | Browse |
| |
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC, Amadey, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | Credential Flusher | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | HTMLPhisher, Mamba2FA | Browse |
|
⊘No context
⊘No context
⊘No context
| Process: | C:\Users\user\Desktop\rU7laIXI5D.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 72484 |
| Entropy (8bit): | 5.844510359378987 |
| Encrypted: | false |
| SSDEEP: | 1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRZF:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWX |
| MD5: | FDB9ABFB08DBA6EDA764C4E18070B285 |
| SHA1: | C7AA4602AE86ACB5E5B1F8E1D3ECDE89928D951E |
| SHA-256: | 56382B58DA171B0F25FDD57FC9F79D549D2BA8D7899CC1CD2FF7825FA3307B12 |
| SHA-512: | 58FCFE6B1A2FA25BCF06B1FC07692334E119930061C088AB6CB9099C161B53624FE586072934EA6706596BE83F20595B7A357F4ABB4F568E7D39F863E575AE90 |
| Malicious: | true |
| Yara Hits: |
|
| Antivirus: |
|
| Reputation: | low |
| Preview: |
| File type: | |
| Entropy (8bit): | 5.856792003596459 |
| TrID: |
|
| File name: | rU7laIXI5D.exe |
| File size: | 72'224 bytes |
| MD5: | c2066aea51ee5eedd9790378151f52da |
| SHA1: | 389a3651a3fb8c5a51f0f0d14848b62ecd4028df |
| SHA256: | 7195e707c8af0b316fe7d3bc0a74dcce3736f6ad7df7a07bcefb22701252c741 |
| SHA512: | f61c73d437bad3523ce0298a75e36fe0accf8dacf460856311eddfd15e2f45cd2e9b0018eeeb84dbbf01486ce1ed88300c33fe9951f4fe05dc2d66a7788f3353 |
| SSDEEP: | 1536:qAo0+j2d6rnJqlIUlizbR9XwzSPamvDsdHgHSIQEvTbWh7MzdPAxHyHfOdIRIRZx:qAoVl4lX8Pvw2PamvDsdHgHSIQEvTbWv |
| TLSH: | 61637D53ADD88443E896253012E8EB7B6D3FBFC21E94915387D8FC1929937C0DB2925E |
| File Content Preview: | MZ......................@....2..........................................!..L.!This program cannot be run in DOS mode....$.......................................................K.......................`.......Rich....................PE..L......O........... |
 | |
| Icon Hash: | 00928e8e8686b000 |
| Entrypoint: | 0x401000 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
| DLL Characteristics: | |
| Time Stamp: | 0x4F179BFF [Thu Jan 19 04:28:47 2012 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | ed42d4abceb2444958dc2f2ce7063809 |
| Signature Valid: | |
| Signature Issuer: | |
| Signature Validation Error: | |
| Error Number: | |
| Not Before, Not After | |
| Subject Chain | |
| Version: | |
| Thumbprint MD5: | |
| Thumbprint SHA-1: | |
| Thumbprint SHA-256: | |
| Serial: |
| Instruction |
|---|
| push FFFFFFFFh |
| push 00404611h |
| mov eax, dword ptr fs:[00000000h] |
| push eax |
| mov dword ptr fs:[00000000h], esp |
| sub esp, 00000630h |
| push ebx |
| push ebp |
| push esi |
| push edi |
| mov ecx, 00000040h |
| xor eax, eax |
| lea edi, dword ptr [esp+0000013Dh] |
| mov byte ptr [esp+0000013Ch], 00000000h |
| rep stosd |
| stosw |
| stosb |
| lea eax, dword ptr [esp+0000013Ch] |
| push 00000104h |
| push eax |
| push 00000000h |
| call dword ptr [00405050h] |
| lea ecx, dword ptr [esp+14h] |
| call 00007F87248D080Dh |
| lea ecx, dword ptr [esp+0000013Ch] |
| push 00000000h |
| push ecx |
| lea ecx, dword ptr [esp+1Ch] |
| mov dword ptr [esp+00000650h], 00000000h |
| call 00007F87248D080Fh |
| test eax, eax |
| jne 00007F87248CFA34h |
| push 000003E8h |
| call dword ptr [0040504Ch] |
| lea edx, dword ptr [esp+0000013Ch] |
| push 00000000h |
| push edx |
| lea ecx, dword ptr [esp+1Ch] |
| call 00007F87248D07EDh |
| test eax, eax |
| je 00007F87248CF9F0h |
| lea ecx, dword ptr [esp+14h] |
| call 00007F87248D09A0h |
| mov ebx, dword ptr [00405048h] |
| push eax |
| push 00000008h |
| mov dword ptr [004086E4h], eax |
| call ebx |
| push eax |
| call dword ptr [00405044h] |
| mov ecx, dword ptr [004086E4h] |
| mov dword ptr [004086E0h], eax |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc000 | 0x78 | .imports |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x9800 | 0x4d50 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x4000 | 0x3800 | 2ab7fd8c123b112cf3b5d1962a297b8d | False | 0.5809849330357143 | data | 6.401056074083298 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rdata | 0x5000 | 0x1000 | 0x600 | 28b0dcb84195a5ab4b77ee0c12902aea | False | 0.45703125 | data | 4.732953369377026 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .data | 0x6000 | 0x3000 | 0x2800 | e9acbf5d01a439b581e4c01e8d2a5f39 | False | 0.0779296875 | data | 0.9614498560336738 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .shoooo | 0x9000 | 0x3000 | 0x2800 | a7b4ffd70e877fa95b9be758de40bb67 | False | 0.9544921875 | data | 7.835447843663171 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .imports | 0xc000 | 0x1000 | 0x600 | f70ebb256fe0ad244adedff7b8bda2b7 | False | 0.345703125 | data | 3.608258743690415 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| ADVAPI32.dll | RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyA, RegOpenKeyA, RegCloseKey |
| iphlpapi.dll | GetAdaptersInfo |
| KERNEL32.dll | GetStringTypeA, LCMapStringW, WaitForSingleObject, CreateThread, HeapFree, DeleteFileA, ExitProcess, lstrcmpiA, lstrcatA, GetWindowsDirectoryA, HeapAlloc, GetProcessHeap, Sleep, GetModuleFileNameA, CloseHandle, GetLastError, CreateMutexA, GetProcAddress, LoadLibraryA, HeapReAlloc, GetTickCount, FindClose, FindFirstFileA, TerminateProcess, CreateProcessA, CreateFileA, ReadFile, WriteFile, FlushFileBuffers, GetFileSize, LCMapStringA, GetStringTypeW, MultiByteToWideChar, GetOEMCP, GetACP, GetCPInfo, RtlUnwind, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, GetCurrentProcess, GetStdHandle, WideCharToMultiByte |
| WININET.dll | InternetOpenA, InternetSetOptionExA, InternetOpenUrlA, InternetCloseHandle, InternetReadFile |
| USER32.dll | wsprintfA |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 1, 2024 16:04:34.863984108 CET | 1.1.1.1 | 192.168.2.6 | 0x8f76 | No error (0) | s-part-0017.t-0009.t-msedge.net | CNAME (Canonical name) | IN (0x0001) | false | ||
| Nov 1, 2024 16:04:34.863984108 CET | 1.1.1.1 | 192.168.2.6 | 0x8f76 | No error (0) | 13.107.246.45 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 11:04:40 |
| Start date: | 01/11/2024 |
| Path: | C:\Users\user\Desktop\rU7laIXI5D.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 72'224 bytes |
| MD5 hash: | C2066AEA51EE5EEDD9790378151F52DA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 11:04:40 |
| Start date: | 01/11/2024 |
| Path: | C:\Windows\microsofthelp.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 72'484 bytes |
| MD5 hash: | FDB9ABFB08DBA6EDA764C4E18070B285 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | low |
| Has exited: | false |
Execution Graph
| Execution Coverage: | 5% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 27.2% |
| Total number of Nodes: | 283 |
| Total number of Limit Nodes: | 3 |
Graph
Function 00401000 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 309memorysleepstringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401A70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70registryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401E00 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24processCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401E70 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401FB0 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401FE0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402010 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004017C0 Relevance: 19.6, APIs: 13, Instructions: 133memorynetworkfileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401CC0 Relevance: 9.0, APIs: 6, Instructions: 47memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67librarystringloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401C80 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402D5E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00402D70 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004034C2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00403615 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401D30 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 33libraryloadersynchronizationCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 004041EF Relevance: 13.7, APIs: 9, Instructions: 177COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 122memorystringCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401930 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 99memorysleepCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 0040443E Relevance: 9.1, APIs: 6, Instructions: 117COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|
Function 00401DC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19registryCOMMON
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Yara matches |
| Similarity |
|