Edit tour
Windows
Analysis Report
Loader.exe
Overview
General Information
| Sample name: | Loader.exe |
| Analysis ID: | 1561387 |
| MD5: | 0e6fce268473aad13da6aa0c2e93ec94 |
| SHA1: | d01b0c69c28b913c4dd3297ca6c78f98d6ba1972 |
| SHA256: | bc32cb3d7964088842b7040c23af2bff7f8e07781e8295a3e45871151052e7b7 |
| Tags: | exeuser-4k95m |
| Infos: |  |
 | |
Detection
LummaC Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Classification
- System is w10x64
Loader.exe (PID: 6336 cmdline: "C:\Users\ user\Deskt op\Loader. exe" MD5: 0E6FCE268473AAD13DA6AA0C2E93EC94) 
conhost.exe (PID: 6564 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Loader.exe (PID: 3864 cmdline:
"C:\Users\ user\Deskt op\Loader. exe" MD5: 0E6FCE268473AAD13DA6AA0C2E93EC94)
- cleanup
{"C2 url": "https://property-imper.sbs/api", "Build Version": "yau6Na--6524795094"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer_3 | Yara detected LummaC Stealer | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_LummaCStealer | Yara detected LummaC Stealer | Joe Security |
⊘No Sigma rule has matched
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T09:49:00.432707+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:02.462552+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:04.724286+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49732 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:08.091904+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:10.297377+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49734 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:13.021780+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49735 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:15.864845+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49736 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:18.622598+0100 | 2028371 | 3 | Unknown Traffic | 192.168.2.4 | 49739 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T09:49:01.107725+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:03.189450+0100 | 2054653 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T09:49:01.107725+0100 | 2049836 | 1 | A Network Trojan was detected | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T09:49:03.189450+0100 | 2049812 | 1 | A Network Trojan was detected | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T09:49:08.818658+0100 | 2048094 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Code function: | 2_2_0041DAF8 | |
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E6C7DB | |
| Source: | Code function: | 2_2_00442AF0 | |
| Source: | Code function: | 2_2_00442AF0 | |
| Source: | Code function: | 2_2_0041DAF8 | |
| Source: | Code function: | 2_2_00442310 | |
| Source: | Code function: | 2_2_0041F580 | |
| Source: | Code function: | 2_2_004435B0 | |
| Source: | Code function: | 2_2_0042FE20 | |
| Source: | Code function: | 2_2_00429680 | |
| Source: | Code function: | 2_2_00429680 | |
| Source: | Code function: | 2_2_00421F60 | |
| Source: | Code function: | 2_2_0042FF02 | |
| Source: | Code function: | 2_2_0042EF3E | |
| Source: | Code function: | 2_2_00442790 | |
| Source: | Code function: | 2_2_00442790 | |
| Source: | Code function: | 2_2_00441840 | |
| Source: | Code function: | 2_2_00425050 | |
| Source: | Code function: | 2_2_0041B02F | |
| Source: | Code function: | 2_2_0041B02F | |
| Source: | Code function: | 2_2_004200C6 | |
| Source: | Code function: | 2_2_004210D0 | |
| Source: | Code function: | 2_2_0041A0F8 | |
| Source: | Code function: | 2_2_0041A080 | |
| Source: | Code function: | 2_2_0042B880 | |
| Source: | Code function: | 2_2_0040C09A | |
| Source: | Code function: | 2_2_00442950 | |
| Source: | Code function: | 2_2_00442950 | |
| Source: | Code function: | 2_2_00442150 | |
| Source: | Code function: | 2_2_0043D970 | |
| Source: | Code function: | 2_2_00441920 | |
| Source: | Code function: | 2_2_00409990 | |
| Source: | Code function: | 2_2_0041D1BE | |
| Source: | Code function: | 2_2_0041AA68 | |
| Source: | Code function: | 2_2_0042FA7B | |
| Source: | Code function: | 2_2_0042FA7B | |
| Source: | Code function: | 2_2_00419A1F | |
| Source: | Code function: | 2_2_00419A1F | |
| Source: | Code function: | 2_2_00426AC2 | |
| Source: | Code function: | 2_2_00429AEE | |
| Source: | Code function: | 2_2_00421A80 | |
| Source: | Code function: | 2_2_0041D327 | |
| Source: | Code function: | 2_2_0040D382 | |
| Source: | Code function: | 2_2_00438450 | |
| Source: | Code function: | 2_2_0042D4D0 | |
| Source: | Code function: | 2_2_0041BCD5 | |
| Source: | Code function: | 2_2_00419DD1 | |
| Source: | Code function: | 2_2_0043048B | |
| Source: | Code function: | 2_2_0043E4A0 | |
| Source: | Code function: | 2_2_004414B0 | |
| Source: | Code function: | 2_2_0040AD40 | |
| Source: | Code function: | 2_2_00427558 | |
| Source: | Code function: | 2_2_00429520 | |
| Source: | Code function: | 2_2_0041B5C0 | |
| Source: | Code function: | 2_2_0041ADD5 | |
| Source: | Code function: | 2_2_0042B5DE | |
| Source: | Code function: | 2_2_004415E0 | |
| Source: | Code function: | 2_2_0042ADEA | |
| Source: | Code function: | 2_2_00424DF0 | |
| Source: | Code function: | 2_2_0041CD83 | |
| Source: | Code function: | 2_2_0043DD90 | |
| Source: | Code function: | 2_2_0041B657 | |
| Source: | Code function: | 2_2_0041B657 | |
| Source: | Code function: | 2_2_00426E01 | |
| Source: | Code function: | 2_2_00426E01 | |
| Source: | Code function: | 2_2_0042AE30 | |
| Source: | Code function: | 2_2_00426ED0 | |
| Source: | Code function: | 2_2_004256D1 | |
| Source: | Code function: | 2_2_0042E6FC | |
| Source: | Code function: | 2_2_004426A0 | |
| Source: | Code function: | 2_2_004414B0 | |
| Source: | Code function: | 2_2_00426760 | |
| Source: | Code function: | 2_2_00441760 | |
| Source: | Code function: | 2_2_0041976F | |
| Source: | Code function: | 2_2_0042C778 | |
| Source: | Code function: | 2_2_00441F00 | |
| Source: | Code function: | 2_2_0042CF9F | |
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | URLs: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | DNS traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Code function: | 2_2_00436300 | |
| Source: | Code function: | 2_2_00436300 | |
| Source: | Code function: | 2_2_004364F0 | |
| Source: | Code function: | 0_2_00E5F4D0 | |
| Source: | Code function: | 0_2_00E634D0 | |
| Source: | Code function: | 0_2_00E615A0 | |
| Source: | Code function: | 0_2_00E5F980 | |
| Source: | Code function: | 0_2_00E586C0 | |
| Source: | Code function: | 0_2_00E5CE70 | |
| Source: | Code function: | 0_2_00E5D7F0 | |
| Source: | Code function: | 0_2_00E71FD2 | |
| Source: | Code function: | 2_3_0378E4FA | |
| Source: | Code function: | 2_3_0378E4FA | |
| Source: | Code function: | 2_3_0378E4FA | |
| Source: | Code function: | 2_3_0378E4FA | |
| Source: | Code function: | 2_2_0043A860 | |
| Source: | Code function: | 2_2_00426143 | |
| Source: | Code function: | 2_2_00422AFE | |
| Source: | Code function: | 2_2_00408BC0 | |
| Source: | Code function: | 2_2_0043ABD0 | |
| Source: | Code function: | 2_2_0043D420 | |
| Source: | Code function: | 2_2_00442C30 | |
| Source: | Code function: | 2_2_00424480 | |
| Source: | Code function: | 2_2_0040E521 | |
| Source: | Code function: | 2_2_0041F580 | |
| Source: | Code function: | 2_2_004435B0 | |
| Source: | Code function: | 2_2_0042EEDD | |
| Source: | Code function: | 2_2_00429680 | |
| Source: | Code function: | 2_2_00421F60 | |
| Source: | Code function: | 2_2_0042FF02 | |
| Source: | Code function: | 2_2_00441840 | |
| Source: | Code function: | 2_2_00407850 | |
| Source: | Code function: | 2_2_00425050 | |
| Source: | Code function: | 2_2_0041B02F | |
| Source: | Code function: | 2_2_004210D0 | |
| Source: | Code function: | 2_2_0042E8FF | |
| Source: | Code function: | 2_2_0042C895 | |
| Source: | Code function: | 2_2_004068A0 | |
| Source: | Code function: | 2_2_0042C895 | |
| Source: | Code function: | 2_2_0042F145 | |
| Source: | Code function: | 2_2_00426960 | |
| Source: | Code function: | 2_2_0043B961 | |
| Source: | Code function: | 2_2_00436120 | |
| Source: | Code function: | 2_2_00441920 | |
| Source: | Code function: | 2_2_00431937 | |
| Source: | Code function: | 2_2_00402180 | |
| Source: | Code function: | 2_2_00409990 | |
| Source: | Code function: | 2_2_00443260 | |
| Source: | Code function: | 2_2_0041AA68 | |
| Source: | Code function: | 2_2_0042FA7B | |
| Source: | Code function: | 2_2_00429A00 | |
| Source: | Code function: | 2_2_0043A210 | |
| Source: | Code function: | 2_2_00419A1F | |
| Source: | Code function: | 2_2_00430A2D | |
| Source: | Code function: | 2_2_0042EEDD | |
| Source: | Code function: | 2_2_00423AE0 | |
| Source: | Code function: | 2_2_00429AEE | |
| Source: | Code function: | 2_2_00426AF0 | |
| Source: | Code function: | 2_2_00445288 | |
| Source: | Code function: | 2_2_0042BA9A | |
| Source: | Code function: | 2_2_0041EAA3 | |
| Source: | Code function: | 2_2_00420B60 | |
| Source: | Code function: | 2_2_0041D327 | |
| Source: | Code function: | 2_2_0040B32F | |
| Source: | Code function: | 2_2_00402B90 | |
| Source: | Code function: | 2_2_0043339D | |
| Source: | Code function: | 2_2_0042244F | |
| Source: | Code function: | 2_2_0042AC02 | |
| Source: | Code function: | 2_2_0043B400 | |
| Source: | Code function: | 2_2_004204E0 | |
| Source: | Code function: | 2_2_00441C80 | |
| Source: | Code function: | 2_2_0043048B | |
| Source: | Code function: | 2_2_0043E4A0 | |
| Source: | Code function: | 2_2_004414B0 | |
| Source: | Code function: | 2_2_0042A4B8 | |
| Source: | Code function: | 2_2_0040AD40 | |
| Source: | Code function: | 2_2_00406D40 | |
| Source: | Code function: | 2_2_00405D30 | |
| Source: | Code function: | 2_2_00404D32 | |
| Source: | Code function: | 2_2_0042B5DE | |
| Source: | Code function: | 2_2_004415E0 | |
| Source: | Code function: | 2_2_004085F0 | |
| Source: | Code function: | 2_2_0043DD90 | |
| Source: | Code function: | 2_2_004035B0 | |
| Source: | Code function: | 2_2_0041B657 | |
| Source: | Code function: | 2_2_0040C672 | |
| Source: | Code function: | 2_2_00419E04 | |
| Source: | Code function: | 2_2_0042AE30 | |
| Source: | Code function: | 2_2_0043263C | |
| Source: | Code function: | 2_2_00435ED0 | |
| Source: | Code function: | 2_2_004256D1 | |
| Source: | Code function: | 2_2_004414B0 | |
| Source: | Code function: | 2_2_00426760 | |
| Source: | Code function: | 2_2_00441760 | |
| Source: | Code function: | 2_2_0042C778 | |
| Source: | Code function: | 2_2_00448F1D | |
| Source: | Code function: | 2_2_00442F20 | |
| Source: | Code function: | 2_2_004027C0 | |
| Source: | Code function: | 2_2_00439FB0 | |
| Source: | Code function: | 2_2_00E5F980 | |
| Source: | Code function: | 2_2_00E5F4D0 | |
| Source: | Code function: | 2_2_00E634D0 | |
| Source: | Code function: | 2_2_00E615A0 | |
| Source: | Code function: | 2_2_00E586C0 | |
| Source: | Code function: | 2_2_00E5CE70 | |
| Source: | Code function: | 2_2_00E5D7F0 | |
| Source: | Code function: | 2_2_00E71FD2 | |
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Code function: | 2_2_0043ABD0 | |
| Source: | Mutant created: | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | ReversingLabs: | ||
| Source: | Virustotal: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00E64BD8 | |
| Source: | Code function: | 2_3_0378E489 | |
| Source: | Code function: | 2_3_0378E489 | |
| Source: | Code function: | 2_3_0378E679 | |
| Source: | Code function: | 2_3_0378E679 | |
| Source: | Code function: | 2_3_0378E439 | |
| Source: | Code function: | 2_3_0378E439 | |
| Source: | Code function: | 2_3_0378E519 | |
| Source: | Code function: | 2_3_0378E519 | |
| Source: | Code function: | 2_3_0378E4B9 | |
| Source: | Code function: | 2_3_0378E4B9 | |
| Source: | Code function: | 2_3_0378E6C9 | |
| Source: | Code function: | 2_3_0378E6C9 | |
| Source: | Code function: | 2_3_0378E4A9 | |
| Source: | Code function: | 2_3_0378E4A9 | |
| Source: | Code function: | 2_3_0378C4A1 | |
| Source: | Code function: | 2_3_0378E499 | |
| Source: | Code function: | 2_3_0378E499 | |
| Source: | Code function: | 2_3_0378E489 | |
| Source: | Code function: | 2_3_0378E489 | |
| Source: | Code function: | 2_3_0378E679 | |
| Source: | Code function: | 2_3_0378E679 | |
| Source: | Code function: | 2_3_0378E439 | |
| Source: | Code function: | 2_3_0378E439 | |
| Source: | Code function: | 2_3_0378E519 | |
| Source: | Code function: | 2_3_0378E519 | |
| Source: | Code function: | 2_3_0378E4B9 | |
| Source: | Code function: | 2_3_0378E4B9 | |
| Source: | Code function: | 2_3_0378E6C9 | |
| Source: | Code function: | 2_3_0378E6C9 | |
| Source: | Code function: | 2_3_0378E4A9 | |
| Source: | Code function: | 0_2_00E64CA2 | |
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion | |
|---|
| Source: | System information queried: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | WMI Queries: | ||
| Source: | Code function: | 0_2_00E6C7DB | |
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | Jump to behavior | ||
| Source: | Code function: | 2_2_0043FE80 | |
| Source: | Code function: | 0_2_00E65444 | |
| Source: | Code function: | 0_2_00E7B18D | |
| Source: | Code function: | 0_2_00E5CD10 | |
| Source: | Code function: | 0_2_00E5BD50 | |
| Source: | Code function: | 2_2_00E5BD50 | |
| Source: | Code function: | 2_2_00E5CD10 | |
| Source: | Code function: | 0_2_00E69F90 | |
| Source: | Code function: | 0_2_00E65444 | |
| Source: | Code function: | 0_2_00E65438 | |
| Source: | Code function: | 0_2_00E67DCA | |
| Source: | Code function: | 0_2_00E64AD9 | |
| Source: | Code function: | 2_2_00E64AD9 | |
| Source: | Code function: | 2_2_00E65444 | |
| Source: | Code function: | 2_2_00E65438 | |
| Source: | Code function: | 2_2_00E67DCA | |
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Code function: | 0_2_00E7B18D | |
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Code function: | 0_2_00E65200 | |
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Code function: | 0_2_00E658C5 | |
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | WMI Queries: | ||
Stealing of Sensitive Information | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | Directory queried: | Jump to behavior | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality | |
|---|
| Source: | File source: | ||
| Source: | File source: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 2 Windows Management Instrumentation | 1 DLL Side-Loading | 211 Process Injection | 11 Virtualization/Sandbox Evasion | 2 OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Screen Capture | 21 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 211 Process Injection | LSASS Memory | 141 Security Software Discovery | Remote Desktop Protocol | 1 Archive Collected Data | 2 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 11 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | 41 Data from Local System | 113 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 3 Obfuscated Files or Information | NTDS | 1 Process Discovery | Distributed Component Object Model | 2 Clipboard Data | Protocol Impersonation | Traffic Duplication | Data Destruction |
| Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Software Packing | LSA Secrets | 11 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
| Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 33 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 42% | ReversingLabs | Win32.Trojan.Generic | ||
| 42% | Virustotal | Browse | ||
| 100% | Joe Sandbox ML |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 2% | Virustotal | Browse |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| property-imper.sbs | 172.67.162.84 | true | false | high |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| false | high |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 172.67.162.84 | property-imper.sbs | United States | 13335 | CLOUDFLARENETUS | false |
| Joe Sandbox version: | 41.0.0 Charoite |
| Analysis ID: | 1561387 |
| Start date and time: | 2024-11-23 09:48:05 +01:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 4m 34s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Number of analysed new started processes analysed: | 6 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Loader.exe |
| Detection: | MAL |
| Classification: | mal100.troj.spyw.evad.winEXE@4/0@1/1 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
- Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
| Time | Type | Description |
|---|---|---|
| 03:49:00 | API Interceptor |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| 172.67.162.84 | Get hash | malicious | LummaC Stealer | Browse | ||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse | |||
| Get hash | malicious | Unknown | Browse | |||
| Get hash | malicious | LummaC Stealer | Browse |
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| property-imper.sbs | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| CLOUDFLARENETUS | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | Amadey, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | XWorm | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Stealc, Vidar | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
|---|---|---|---|---|---|---|
| a0e9f5d64349fb13191bc781f81f42e1 | Get hash | malicious | LummaC Stealer | Browse |
| |
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Unknown | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc | Browse |
| ||
| Get hash | malicious | LummaC Stealer | Browse |
| ||
| Get hash | malicious | LummaC | Browse |
|
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.732358355383698 |
| TrID: |
|
| File name: | Loader.exe |
| File size: | 500'224 bytes |
| MD5: | 0e6fce268473aad13da6aa0c2e93ec94 |
| SHA1: | d01b0c69c28b913c4dd3297ca6c78f98d6ba1972 |
| SHA256: | bc32cb3d7964088842b7040c23af2bff7f8e07781e8295a3e45871151052e7b7 |
| SHA512: | 0122f8a058502df27efd7da995a5357f284ed307817f237109ca57891f3cf95959d31fda9b9c5815db0240019ec0a559deb4b2287cd10a70fcfbd9cb59d9ebd9 |
| SSDEEP: | 12288:FJB+nneDgkXFEIKUciGq/LCgvKXG9DhZiwC0:rAoR2x1iG8LCgN9lZi4 |
| TLSH: | BAB4F1AEB3E3A0F3D662183541E49B75456E7E700F2490FB53501F692F36AC28632E57 |
| File Content Preview: | MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...t.@g............................pX............@.......................................@.................................T...<.. |
 | |
| Icon Hash: | 90cececece8e8eb0 |
| Entrypoint: | 0x415870 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows cui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x6740AA74 [Fri Nov 22 15:59:48 2024 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 6 |
| OS Version Minor: | 0 |
| File Version Major: | 6 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 6 |
| Subsystem Version Minor: | 0 |
| Import Hash: | 887797384d81c493a9d8ee55dad3b2e1 |
| Instruction |
|---|
| call 00007FD31C6B321Ah |
| jmp 00007FD31C6B307Dh |
| mov ecx, dword ptr [0042B5F0h] |
| push esi |
| push edi |
| mov edi, BB40E64Eh |
| mov esi, FFFF0000h |
| cmp ecx, edi |
| je 00007FD31C6B3216h |
| test esi, ecx |
| jne 00007FD31C6B3238h |
| call 00007FD31C6B3241h |
| mov ecx, eax |
| cmp ecx, edi |
| jne 00007FD31C6B3219h |
| mov ecx, BB40E64Fh |
| jmp 00007FD31C6B3220h |
| test esi, ecx |
| jne 00007FD31C6B321Ch |
| or eax, 00004711h |
| shl eax, 10h |
| or ecx, eax |
| mov dword ptr [0042B5F0h], ecx |
| not ecx |
| pop edi |
| mov dword ptr [0042B5ECh], ecx |
| pop esi |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 14h |
| and dword ptr [ebp-0Ch], 00000000h |
| lea eax, dword ptr [ebp-0Ch] |
| and dword ptr [ebp-08h], 00000000h |
| push eax |
| call dword ptr [0042946Ch] |
| mov eax, dword ptr [ebp-08h] |
| xor eax, dword ptr [ebp-0Ch] |
| mov dword ptr [ebp-04h], eax |
| call dword ptr [00429430h] |
| xor dword ptr [ebp-04h], eax |
| call dword ptr [0042942Ch] |
| xor dword ptr [ebp-04h], eax |
| lea eax, dword ptr [ebp-14h] |
| push eax |
| call dword ptr [004294A8h] |
| mov eax, dword ptr [ebp-10h] |
| lea ecx, dword ptr [ebp-04h] |
| xor eax, dword ptr [ebp-14h] |
| xor eax, dword ptr [ebp-04h] |
| xor eax, ecx |
| leave |
| ret |
| mov eax, 00004000h |
| ret |
| push 0042C970h |
| call dword ptr [00429488h] |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov al, 01h |
| ret |
| push 00030000h |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x29254 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x2f000 | 0x1400 | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x237c0 | 0xc0 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x293c8 | 0x138 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x2169a | 0x21800 | 02aff72e65eaf052f891170e28598361 | False | 0.550606343283582 | data | 6.737058354414408 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x23000 | 0x7264 | 0x7400 | 91e5fdecc510d2c4e72b1b50db3c2501 | False | 0.40641837284482757 | data | 4.769873714467996 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x2b000 | 0x2068 | 0x1000 | f9b2b4b1f63578440eedd0ace5ac94f1 | False | 0.484375 | OpenPGP Secret Key | 5.090094544660231 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .00cfg | 0x2e000 | 0x8 | 0x200 | 160c8b290b62e5e566d05ce3bec76423 | False | 0.03125 | data | 0.06116285224115448 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x2f000 | 0x1400 | 0x1400 | 29fb367912ce622b91120c5cffd84495 | False | 0.81953125 | data | 6.557860970753822 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| .coS | 0x31000 | 0x4ea00 | 0x4ea00 | 358c2236df00894d3b77fbf3f79f36c2 | False | 1.000329143481717 | data | 7.999351184277866 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| DLL | Import |
|---|---|
| KERNEL32.dll | CloseHandle, CompareStringW, CreateFileA, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileType, GetLastError, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile |
| GDI32.dll | CreateEllipticRgn |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node| Timestamp | SID | Signature | Severity | Source IP | Source Port | Dest IP | Dest Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2024-11-23T09:49:00.432707+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:01.107725+0100 | 2049836 | ET MALWARE Lumma Stealer Related Activity | 1 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:01.107725+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:02.462552+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:03.189450+0100 | 2049812 | ET MALWARE Lumma Stealer Related Activity M2 | 1 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:03.189450+0100 | 2054653 | ET MALWARE Lumma Stealer CnC Host Checkin | 1 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:04.724286+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49732 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:08.091904+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:08.818658+0100 | 2048094 | ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration | 1 | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:10.297377+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49734 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:13.021780+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49735 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:15.864845+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49736 | 172.67.162.84 | 443 | TCP |
| 2024-11-23T09:49:18.622598+0100 | 2028371 | ET JA3 Hash - Possible Malware - Fake Firefox Font Update | 3 | 192.168.2.4 | 49739 | 172.67.162.84 | 443 | TCP |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 09:48:59.151767015 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:48:59.151854038 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:48:59.151966095 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:48:59.155092001 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:48:59.155128956 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:00.432600975 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:00.432707071 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:00.436986923 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:00.437020063 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:00.437437057 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:00.481507063 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:00.481756926 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:00.481811047 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:00.482057095 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:01.107832909 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:01.108063936 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:01.108266115 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:01.113946915 CET | 49730 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:01.113981962 CET | 443 | 49730 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:01.158713102 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:01.158762932 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:01.158859968 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:01.159135103 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:01.159153938 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:02.462483883 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:02.462552071 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:02.464242935 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:02.464252949 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:02.464492083 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:02.465936899 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:02.466011047 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:02.466036081 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189440966 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189486980 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189515114 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189536095 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.189544916 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189557076 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189591885 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.189650059 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.189703941 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.189727068 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.205094099 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.205171108 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.205188990 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.213459015 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.213519096 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.213532925 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.262742043 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.398958921 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.402884960 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.402939081 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.402972937 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.402993917 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.403058052 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.403143883 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.403172970 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.403199911 CET | 49731 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.403213024 CET | 443 | 49731 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.510045052 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.510143042 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:03.510234118 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.510540962 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:03.510577917 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:04.724203110 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:04.724286079 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:04.738908052 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:04.738957882 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:04.739270926 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:04.749830961 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:04.750080109 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:04.750123978 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:04.750232935 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:04.750248909 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:06.748483896 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:06.748594046 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:06.748698950 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:06.748867035 CET | 49732 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:06.748908043 CET | 443 | 49732 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:06.877975941 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:06.878021955 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:06.878092051 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:06.878365993 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:06.878381014 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.091797113 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.091903925 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:08.092998028 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:08.093004942 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.093313932 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.094475985 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:08.094614983 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:08.094639063 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.818675041 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.818768024 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:08.818811893 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:08.818927050 CET | 49733 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:08.818939924 CET | 443 | 49733 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:09.031749964 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:09.031841993 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:09.032071114 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:09.032320976 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:09.032360077 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:10.297256947 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:10.297377110 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:10.298587084 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:10.298629999 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:10.299706936 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:10.300817013 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:10.300949097 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:10.301002026 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:10.301105022 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:10.301120996 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:11.185909986 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:11.186192036 CET | 443 | 49734 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:11.186208963 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:11.186278105 CET | 49734 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:11.801774025 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:11.801830053 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:11.801898956 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:11.802568913 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:11.802583933 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.021672964 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.021780014 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:13.023073912 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:13.023088932 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.023761034 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.027091026 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:13.027190924 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:13.027196884 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.724226952 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.724333048 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:13.724380016 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:13.724431038 CET | 49735 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:13.724453926 CET | 443 | 49735 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:14.557854891 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:14.557945013 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:14.558090925 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:14.558568001 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:14.558602095 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.864759922 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.864845037 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.866041899 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.866070032 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.866405964 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.877861023 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.878740072 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.878787041 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.878915071 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.878963947 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.879117966 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.879152060 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.879434109 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.879484892 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.880036116 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.880104065 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.880430937 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.880470991 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.880496025 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.880522966 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.880675077 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.880716085 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.880769968 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.880872011 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.880935907 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.923362970 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.923593998 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.923666954 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.923726082 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:15.971357107 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:15.971448898 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:16.019365072 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:18.069598913 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:18.069842100 CET | 443 | 49736 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:18.069854975 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:18.069919109 CET | 49736 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:18.106555939 CET | 49739 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:18.106601954 CET | 443 | 49739 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:18.106692076 CET | 49739 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:18.106944084 CET | 49739 | 443 | 192.168.2.4 | 172.67.162.84 |
| Nov 23, 2024 09:49:18.106955051 CET | 443 | 49739 | 172.67.162.84 | 192.168.2.4 |
| Nov 23, 2024 09:49:18.622597933 CET | 49739 | 443 | 192.168.2.4 | 172.67.162.84 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Nov 23, 2024 09:48:58.676820040 CET | 52067 | 53 | 192.168.2.4 | 1.1.1.1 |
| Nov 23, 2024 09:48:59.146656036 CET | 53 | 52067 | 1.1.1.1 | 192.168.2.4 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 09:48:58.676820040 CET | 192.168.2.4 | 1.1.1.1 | 0x43f9 | Standard query (0) | A (IP address) | IN (0x0001) | false |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
|---|---|---|---|---|---|---|---|---|---|---|
| Nov 23, 2024 09:48:59.146656036 CET | 1.1.1.1 | 192.168.2.4 | 0x43f9 | No error (0) | 172.67.162.84 | A (IP address) | IN (0x0001) | false | ||
| Nov 23, 2024 09:48:59.146656036 CET | 1.1.1.1 | 192.168.2.4 | 0x43f9 | No error (0) | 104.21.33.116 | A (IP address) | IN (0x0001) | false |
|
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 0 | 192.168.2.4 | 49730 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:00 UTC | 265 | OUT | |
| 2024-11-23 08:49:00 UTC | 8 | OUT | |
| 2024-11-23 08:49:01 UTC | 1019 | IN | |
| 2024-11-23 08:49:01 UTC | 7 | IN | |
| 2024-11-23 08:49:01 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 1 | 192.168.2.4 | 49731 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:02 UTC | 266 | OUT | |
| 2024-11-23 08:49:02 UTC | 52 | OUT | |
| 2024-11-23 08:49:03 UTC | 1009 | IN | |
| 2024-11-23 08:49:03 UTC | 360 | IN | |
| 2024-11-23 08:49:03 UTC | 886 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN | |
| 2024-11-23 08:49:03 UTC | 1369 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 2 | 192.168.2.4 | 49732 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:04 UTC | 285 | OUT | |
| 2024-11-23 08:49:04 UTC | 15331 | OUT | |
| 2024-11-23 08:49:04 UTC | 2843 | OUT | |
| 2024-11-23 08:49:06 UTC | 1020 | IN | |
| 2024-11-23 08:49:06 UTC | 19 | IN | |
| 2024-11-23 08:49:06 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 3 | 192.168.2.4 | 49733 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:08 UTC | 276 | OUT | |
| 2024-11-23 08:49:08 UTC | 8747 | OUT | |
| 2024-11-23 08:49:08 UTC | 1019 | IN | |
| 2024-11-23 08:49:08 UTC | 19 | IN | |
| 2024-11-23 08:49:08 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 4 | 192.168.2.4 | 49734 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:10 UTC | 282 | OUT | |
| 2024-11-23 08:49:10 UTC | 15331 | OUT | |
| 2024-11-23 08:49:10 UTC | 5099 | OUT | |
| 2024-11-23 08:49:11 UTC | 1025 | IN | |
| 2024-11-23 08:49:11 UTC | 19 | IN | |
| 2024-11-23 08:49:11 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 5 | 192.168.2.4 | 49735 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:13 UTC | 281 | OUT | |
| 2024-11-23 08:49:13 UTC | 1236 | OUT | |
| 2024-11-23 08:49:13 UTC | 1020 | IN | |
| 2024-11-23 08:49:13 UTC | 19 | IN | |
| 2024-11-23 08:49:13 UTC | 5 | IN |
| Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
|---|---|---|---|---|---|---|
| 6 | 192.168.2.4 | 49736 | 172.67.162.84 | 443 | 3864 | C:\Users\user\Desktop\Loader.exe |
| Timestamp | Bytes transferred | Direction | Data |
|---|---|---|---|
| 2024-11-23 08:49:15 UTC | 275 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:15 UTC | 15331 | OUT | |
| 2024-11-23 08:49:18 UTC | 1017 | IN |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
| Target ID: | 0 |
| Start time: | 03:48:57 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe50000 |
| File size: | 500'224 bytes |
| MD5 hash: | 0E6FCE268473AAD13DA6AA0C2E93EC94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 03:48:57 |
| Start date: | 23/11/2024 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7699e0000 |
| File size: | 862'208 bytes |
| MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 03:48:57 |
| Start date: | 23/11/2024 |
| Path: | C:\Users\user\Desktop\Loader.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe50000 |
| File size: | 500'224 bytes |
| MD5 hash: | 0E6FCE268473AAD13DA6AA0C2E93EC94 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Yara matches: |
|
| Reputation: | low |
| Has exited: | true |
Execution Graph
| Execution Coverage: | 4.1% |
| Dynamic/Decrypted Code Coverage: | 0.5% |
| Signature Coverage: | 3.7% |
| Total number of Nodes: | 1560 |
| Total number of Limit Nodes: | 24 |
Graph
Function 00E7B18D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295threadinjectionmemoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5CD10 Relevance: .0, Instructions: 29COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E69DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5BEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E66CE6 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6A732 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E66E00 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6B0CB Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E63B60 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5CD90 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6BC45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E64CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5CE70 Relevance: 8.0, APIs: 5, Instructions: 518threadCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6C7DB Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E65444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E615A0 Relevance: 4.4, APIs: 2, Instructions: 1444COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E65200 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E65438 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E69F90 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E586C0 Relevance: .7, Instructions: 725COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E634D0 Relevance: .6, Instructions: 607COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5F980 Relevance: .5, Instructions: 456COMMONLIBRARYCODE
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5BD50 Relevance: .0, Instructions: 15COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E690D3 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E70308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E66F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E694F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E68D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E645A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Execution Graph
| Execution Coverage: | 5.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 37% |
| Total number of Nodes: | 235 |
| Total number of Limit Nodes: | 14 |
Graph
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043ABD0 Relevance: 30.4, APIs: 11, Strings: 6, Instructions: 662memorycomCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00408BC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170threadCOMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041F580 Relevance: 8.1, Strings: 6, Instructions: 605COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442310 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
Download Yara Rule
Control-flow Graph
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00430A2D Relevance: 1.9, APIs: 1, Instructions: 382COMMON
Download Yara Rule
Control-flow Graph
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EEDD Relevance: 1.8, APIs: 1, Instructions: 340COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004435B0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FE20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FE80 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442790 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442AF0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429680 Relevance: .3, Instructions: 344COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421F60 Relevance: .2, Instructions: 177COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042EF3E Relevance: .1, Instructions: 140COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Control-flow Graph
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0044097C Relevance: 3.0, APIs: 2, Instructions: 14COMMON
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043FDA0 Relevance: 1.6, APIs: 1, Instructions: 72memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D390 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004318BC Relevance: 1.5, APIs: 1, Instructions: 25COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00435C54 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040CCC3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D37B Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00427558 Relevance: 11.5, Strings: 9, Instructions: 268COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426AC2 Relevance: 10.2, Strings: 8, Instructions: 170COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004210D0 Relevance: 9.6, Strings: 7, Instructions: 806COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D327 Relevance: 7.9, Strings: 6, Instructions: 388COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00409990 Relevance: 7.9, Strings: 6, Instructions: 379COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041D1BE Relevance: 6.4, Strings: 5, Instructions: 111COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E65444 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429AEE Relevance: 5.5, Strings: 4, Instructions: 549COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040AD40 Relevance: 5.4, Strings: 4, Instructions: 367COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426760 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041CD83 Relevance: 5.1, Strings: 4, Instructions: 103COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B657 Relevance: 3.7, Strings: 2, Instructions: 1160COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004256D1 Relevance: 3.2, Strings: 2, Instructions: 698COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043DD90 Relevance: 3.1, Strings: 2, Instructions: 587COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043048B Relevance: 3.0, Strings: 2, Instructions: 466COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040D382 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041ADD5 Relevance: 2.7, Strings: 2, Instructions: 195COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B5C0 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00419DD1 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041BCD5 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
Download Yara Rule
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004414B0 Relevance: 2.1, Strings: 1, Instructions: 884COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004415E0 Relevance: 2.0, Strings: 1, Instructions: 741COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441760 Relevance: 1.9, Strings: 1, Instructions: 637COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441840 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441920 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00424DF0 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041B02F Relevance: 1.7, Strings: 1, Instructions: 406COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B5DE Relevance: 1.6, Strings: 1, Instructions: 322COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043E4A0 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042FA7B Relevance: 1.5, Strings: 1, Instructions: 278COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0043D970 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00441F00 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042E6FC Relevance: 1.4, Strings: 1, Instructions: 167COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041AA68 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442950 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042B880 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00442150 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A0F8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
Download Yara Rule
| Strings |
|
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00425050 Relevance: .4, Instructions: 449COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041976F Relevance: .3, Instructions: 285COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00419A1F Relevance: .3, Instructions: 265COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004200C6 Relevance: .2, Instructions: 234COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042C778 Relevance: .2, Instructions: 208COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00421A80 Relevance: .2, Instructions: 206COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042AE30 Relevance: .2, Instructions: 197COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042CF9F Relevance: .1, Instructions: 145COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00429520 Relevance: .1, Instructions: 129COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 004426A0 Relevance: .1, Instructions: 94COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426E01 Relevance: .1, Instructions: 78COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00438450 Relevance: .1, Instructions: 64COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042D4D0 Relevance: .1, Instructions: 63COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0041A080 Relevance: .1, Instructions: 61COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0042ADEA Relevance: .0, Instructions: 21COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 0040C09A Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00426ED0 Relevance: .0, Instructions: 14COMMON
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E64CA2 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 180libraryloaderCOMMON
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E690D3 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 303COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E70308 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E69DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E5BEB0 Relevance: 9.2, APIs: 6, Instructions: 173fileCOMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E66F54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6DF1D Relevance: 7.7, APIs: 5, Instructions: 197COMMON
Download Yara Rule
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E694F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6DC5E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6C5B8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6CB54 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
Download Yara Rule
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E6D22D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| APIs |
|
| Strings |
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E641C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E68D6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE
Download Yara Rule
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E64241 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
Function 00E645A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMONLIBRARYCODE
Download Yara Rule
| APIs |
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|