Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1568680
MD5:	61fe809e805e74c4d6fc33b0e5a3305e
SHA1:	3f62636e3d1de3a0346e812cb57d06cea445b789
SHA256:	466682a767a27edcb28e3d2ae0ed221836db7d7dcb73fa88879c4b5944ba829d
Tags:	exeuser-jstrosch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Contains functionality to dynamically determine API calls

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Modifies existing windows services

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 61FE809E805E74C4D6FC33B0E5A3305E)

jmbnii.exe (PID: 1088 cmdline: C:\Windows\jmbnii.exe MD5: 61FE809E805E74C4D6FC33B0E5A3305E)

cleanup

Suricata Signatures

ET MALWARE Win32/Agent.RTQ CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49718	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49704	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49773	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49820	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49902	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49724	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49784	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49705	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49845	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49951	202.181.25.108	16681	TCP
2024-12-04T20:19:03.086689+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49704	202.181.25.108	16681	TCP
2024-12-04T20:19:04.320762+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49705	199.59.243.227	8081	TCP
2024-12-04T20:19:26.340787+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49718	199.59.243.227	8081	TCP
2024-12-04T20:19:28.169505+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49724	202.181.25.108	16681	TCP
2024-12-04T20:19:48.387474+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49773	199.59.243.227	8081	TCP
2024-12-04T20:19:53.210644+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49784	202.181.25.108	16681	TCP
2024-12-04T20:20:08.574153+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49820	199.59.243.227	8081	TCP
2024-12-04T20:20:18.226457+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49845	202.181.25.108	16681	TCP
2024-12-04T20:20:43.259628+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49902	202.181.25.108	16681	TCP
2024-12-04T20:21:08.366684+0100	2034193	1	Malware Command and Control Activity Detected	192.168.2.5	49951	202.181.25.108	16681	TCP

ETPRO MALWARE Win32/DDoS.tf CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T20:19:04.320762+0100	2837549	1	Malware Command and Control Activity Detected	192.168.2.5	49705	199.59.243.227	8081	TCP
2024-12-04T20:19:26.340787+0100	2837549	1	Malware Command and Control Activity Detected	192.168.2.5	49718	199.59.243.227	8081	TCP
2024-12-04T20:19:48.387474+0100	2837549	1	Malware Command and Control Activity Detected	192.168.2.5	49773	199.59.243.227	8081	TCP
2024-12-04T20:20:08.574153+0100	2837549	1	Malware Command and Control Activity Detected	192.168.2.5	49820	199.59.243.227	8081	TCP

Code function: 0_2_00405178 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GetComputerNameA,GetSystemDefaultUILanguage,send,select,__WSAFDIsSet,recv,GetTempPathA,wsprintfA,LoadLibraryA,GetProcAddress,WinExec,closesocket,closesocket,

0_2_00405178

Source: global traffic	DNS traffic detected: DNS query: souhu.ydns.eu
Source: global traffic	DNS traffic detected: DNS query: v8.ter.tf

Source: file.exe, file.exe, 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmp, jmbnii.exe, 00000001.00000002.3286263402.0000000000414000.00000040.00000001.01000000.00000004.sdmp

String found in binary or memory: http://www.baidu.com

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\jmbnii.exe			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\jmbnii.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00410C4B	0_2_00410C4B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C207	0_2_0040C207
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404AA9	0_2_00404AA9

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00408453 appears 452 times

Source: file.exe, 00000000.00000000.2028357674.000000000041D000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAuthn.exe vs file.exe
Source: file.exe, 00000000.00000002.2029583854.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAuthn.exe vs file.exe
Source: file.exe, 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameAuthn.exe vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameAuthn.exe vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.evad.winEXE@2/2@2/2

Source: C:\Users\user\Desktop\file.exe

Code function: GetModuleFileNameA,LoadLibraryA,GetProcAddress,wsprintfA,CopyFileA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,

0_2_00406903

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00406903 GetModuleFileNameA,LoadLibraryA,GetProcAddress,wsprintfA,CopyFileA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlen,RegSetValueExA,

0_2_00406903

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004066B8 Sleep,StartServiceCtrlDispatcherA,

0_2_004066B8

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 94%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Windows\jmbnii.exe C:\Windows\jmbnii.exe

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\jmbnii.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00406903

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408490 push eax; ret		0_2_004084BE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408998 push eax; ret		0_2_004089B6

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\jmbnii.exe

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\jmbnii.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\jmbnii.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Pqrstua Cdefgh

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00406903

Hooking and other Techniques for Hiding and Protection

Moves itself to temp directory

Source: c:\users\user\desktop\file.exe

File moved: C:\Users\user\AppData\Local\Temp\41f1168

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-8106

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-8615

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-7082

Source: C:\Users\user\Desktop\file.exe

API coverage: 8.0 %

Source: C:\Windows\jmbnii.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

0_2_00405178

Source: jmbnii.exe, 00000001.00000002.3286491176.000000000071A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-7850

Source: C:\Users\user\Desktop\file.exe

0_2_00406903

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DE48 SetUnhandledExceptionFilter,		0_2_0040DE48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DE5A SetUnhandledExceptionFilter,		0_2_0040DE5A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004089B7 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_004089B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004089B7 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_004089B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004090F1 GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_004090F1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	14 Windows Service	14 Windows Service	22 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	4 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	95%	ReversingLabs	Win32.Trojan.ServStart
file.exe	100%	Avira	TR/Downloader.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\jmbnii.exe	100%	Avira	TR/Downloader.Gen
C:\Windows\jmbnii.exe	100%	Joe Sandbox ML
C:\Windows\jmbnii.exe	95%	ReversingLabs	Win32.Trojan.ServStart

Name	IP	Active	Malicious	Reputation
souhu.ydns.eu	202.181.25.108	true	true	unknown
74202.bodis.com	199.59.243.227	true	true	unknown
v8.ter.tf	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.baidu.com	file.exe, file.exe, 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmp, jmbnii.exe, 00000001.00000002.3286263402.0000000000414000.00000040.00000001.01000000.00000004.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
202.181.25.108	souhu.ydns.eu	Hong Kong		55933	CLOUDIE-AS-APCloudieLimitedHK	true
199.59.243.227	74202.bodis.com	United States		395082	BODIS-NJUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568680
Start date and time:	2024-12-04 20:18:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@2/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 8 Number of non-executed functions: 52
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.243.227	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	www.dating-ml-es.xyz/pvrm/
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	www.sql.dance/9p84/
	SW_5724.exe	Get hash	malicious	FormBook	Browse	www.whisperart.net/27s6/
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590
	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.honk.city/c8xp/
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/xz45/
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.acond-22-mvr.click/w9z4/
	FATURA.exe	Get hash	malicious	FormBook	Browse	www.timetime.store/wxr5/
	Quotation sheet.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.acond-22-mvr.click/w9z4/
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.honk.city/c8xp/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74202.bodis.com	ARM6LinuxTF.elf	Get hash	malicious	Unknown	Browse	199.59.243.227
	LinuxTF.elf	Get hash	malicious	Unknown	Browse	199.59.243.227
	LinuxTF.elf	Get hash	malicious	Unknown	Browse	199.59.243.226
	RR.exe	Get hash	malicious	Unknown	Browse	199.59.243.226
	8N1lJF2fNX.elf	Get hash	malicious	Unknown	Browse	199.59.243.225

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BODIS-NJUS	ek8LkB2Cgo.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	199.59.243.227
	http://divisioninfo.net/	Get hash	malicious	Unknown	Browse	199.59.243.205
	SW_5724.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.227
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.227
	FATURA.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Quotation sheet.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.59.243.227
CLOUDIE-AS-APCloudieLimitedHK	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	45.192.33.233
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	122.10.88.94
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	144.48.249.121
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	103.118.226.120
	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	191.96.235.60
	bot.arm5.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	191.96.235.60
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	191.96.235.60
	bot.arm.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	191.96.235.60
	bot.ppc.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	191.96.235.60
	bot.m68k.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	191.96.235.60

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	7.770319978556949
Encrypted:	false
SSDEEP:	768:fI0+FNeQT1ok/ILtq2FV5AY6t+ayph/bAUn26wriTJogrIyP85P85jaZV9VYnsxx:fI0eMCoHFVet+phX7lBF85EAa0GDit3
MD5:	61FE809E805E74C4D6FC33B0E5A3305E
SHA1:	3F62636E3D1DE3A0346E812CB57D06CEA445B789
SHA-256:	466682A767A27EDCB28E3D2AE0ED221836DB7D7DCB73FA88879C4B5944BA829D
SHA-512:	773B1F451617523B5481632AC3F347265230DF418CBC95F687556CFC278753745A5A4F08E327088DDD25FD7FFEFD6BDEE06973B653E60BB0C62AB526CCB16D41
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5...[..[..[..P..[.8.U..[..Q...[.x....[..Z...[.S.P..[.\|.]..[.Rich..[.........PE..L......X............................0.... ........@.................................................................................................................................................................................................UPX0....................................UPX1......... ......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....

C:\Windows\jmbnii.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.770319978556949
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	46'592 bytes
MD5:	61fe809e805e74c4d6fc33b0e5a3305e
SHA1:	3f62636e3d1de3a0346e812cb57d06cea445b789
SHA256:	466682a767a27edcb28e3d2ae0ed221836db7d7dcb73fa88879c4b5944ba829d
SHA512:	773b1f451617523b5481632ac3f347265230df418cbc95f687556cfc278753745a5a4f08e327088ddd25fd7ffefd6bdee06973b653e60bb0c62ab526ccb16d41
SSDEEP:	768:fI0+FNeQT1ok/ILtq2FV5AY6t+ayph/bAUn26wriTJogrIyP85P85jaZV9VYnsxx:fI0eMCoHFVet+phX7lBF85EAa0GDit3
TLSH:	4823F1993BF5494FF09F507479FB0AEA549AB43C5AC463EA82E723591834734DC06A33
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5...[...[...[...P...[.8.U...[...Q...[.x.....[...Z...[.S.P...[.\|.]...[.Rich..[.........PE..L......X...........................

File Icon


Icon Hash:	4d0b1b0d4d33336c

Static PE Info

General

Entrypoint:	0x41c630
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x58F5D015 [Tue Apr 18 08:36:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5a757cedf03930b945cf2435af0c6f5b

Entrypoint Preview

Instruction
pushad
mov esi, 00412000h
lea edi, dword ptr [esi-00011000h]
push edi
or ebp, FFFFFFFFh
jmp 00007FE5DCADEBB2h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FE5DCADEBA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FE5DCADEB8Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FE5DCADEBA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FE5DCADEB91h
jne 00007FE5DCADEBABh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FE5DCADEB86h
xor ecx, ecx
sub eax, 03h
jc 00007FE5DCADEBAFh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FE5DCADEC16h
mov ebp, eax
add ebx, ebx
jne 00007FE5DCADEBA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007FE5DCADEBA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007FE5DCADEBC2h
inc ecx
add ebx, ebx
jne 00007FE5DCADEBA9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FE5DCADEB91h
jne 00007FE5DCADEBABh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FE5DCADEB86h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FE5DCADEBB1h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007FE5DCADEB99h
jmp 00007FE5DCADEB08h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 00000000h

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d814	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x814	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x11000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x12000	0xb000	0xa800	719447f4bb2136ad7bbe75d28f6c5fd9	False	0.9826311383928571	data	7.9143336638399555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x1000	0xa00	6765547ceb833e0403086a2054af70ed	False	0.41484375	data	3.4953830391223066	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1d0ec	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	Canada	0.353494623655914
RT_GROUP_ICON	0x1d3d8	0x14	data	English	Canada	1.2
RT_VERSION	0x1d3f0	0x424	data	English	Canada	0.46132075471698114

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	RegOpenKeyA
iphlpapi.dll	GetIfTable
USER32.dll	wsprintfA
WININET.dll	InternetOpenA
WS2_32.dll	WSAGetLastError

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Canada

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49718	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49704	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49773	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49820	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49902	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49724	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49784	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49705	199.59.243.227	8081	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49845	202.181.25.108	16681	TCP
2024-12-04T20:18:58.916337+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49951	202.181.25.108	16681	TCP
2024-12-04T20:19:03.086689+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49704	202.181.25.108	16681	TCP
2024-12-04T20:19:04.320762+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49705	199.59.243.227	8081	TCP
2024-12-04T20:19:04.320762+0100	2837549	ETPRO MALWARE Win32/DDoS.tf CnC Checkin	1	192.168.2.5	49705	199.59.243.227	8081	TCP
2024-12-04T20:19:26.340787+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49718	199.59.243.227	8081	TCP
2024-12-04T20:19:26.340787+0100	2837549	ETPRO MALWARE Win32/DDoS.tf CnC Checkin	1	192.168.2.5	49718	199.59.243.227	8081	TCP
2024-12-04T20:19:28.169505+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49724	202.181.25.108	16681	TCP
2024-12-04T20:19:48.387474+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49773	199.59.243.227	8081	TCP
2024-12-04T20:19:48.387474+0100	2837549	ETPRO MALWARE Win32/DDoS.tf CnC Checkin	1	192.168.2.5	49773	199.59.243.227	8081	TCP
2024-12-04T20:19:53.210644+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49784	202.181.25.108	16681	TCP
2024-12-04T20:20:08.574153+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49820	199.59.243.227	8081	TCP
2024-12-04T20:20:08.574153+0100	2837549	ETPRO MALWARE Win32/DDoS.tf CnC Checkin	1	192.168.2.5	49820	199.59.243.227	8081	TCP
2024-12-04T20:20:18.226457+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49845	202.181.25.108	16681	TCP
2024-12-04T20:20:43.259628+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49902	202.181.25.108	16681	TCP
2024-12-04T20:21:08.366684+0100	2034193	ET MALWARE Win32/Agent.RTQ CnC Activity	1	192.168.2.5	49951	202.181.25.108	16681	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 20:19:02.965996981 CET	49704	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:03.086112976 CET	16681	49704	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:03.086199999 CET	49704	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:03.086688995 CET	49704	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:03.206892014 CET	16681	49704	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:04.176970959 CET	49705	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:04.298290968 CET	8081	49705	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:04.298502922 CET	49705	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:04.320761919 CET	49705	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:04.447319031 CET	8081	49705	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:24.980290890 CET	16681	49704	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:24.980396032 CET	49704	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:24.980525970 CET	49704	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:25.111680984 CET	16681	49704	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:26.217444897 CET	8081	49705	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:26.217519999 CET	49705	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:26.217622042 CET	49705	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:26.220510006 CET	49718	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:26.337948084 CET	8081	49705	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:26.340260983 CET	8081	49718	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:26.340363979 CET	49718	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:26.340786934 CET	49718	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:26.460576057 CET	8081	49718	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:28.047995090 CET	49724	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:28.168807030 CET	16681	49724	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:28.168888092 CET	49724	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:28.169504881 CET	49724	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:28.294447899 CET	16681	49724	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:48.262083054 CET	8081	49718	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:48.262144089 CET	49718	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:48.262243032 CET	49718	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:48.264874935 CET	49773	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:48.383882999 CET	8081	49718	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:48.386919022 CET	8081	49773	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:48.387026072 CET	49773	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:48.387474060 CET	49773	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:19:48.512140989 CET	8081	49773	199.59.243.227	192.168.2.5
Dec 4, 2024 20:19:50.074551105 CET	16681	49724	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:50.077202082 CET	49724	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:50.077284098 CET	49724	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:50.197066069 CET	16681	49724	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:53.090223074 CET	49784	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:53.210038900 CET	16681	49784	202.181.25.108	192.168.2.5
Dec 4, 2024 20:19:53.210127115 CET	49784	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:53.210644007 CET	49784	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:19:53.330368042 CET	16681	49784	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:08.451108932 CET	8081	49773	199.59.243.227	192.168.2.5
Dec 4, 2024 20:20:08.451220989 CET	49773	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:20:08.451318026 CET	49773	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:20:08.453783989 CET	49820	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:20:08.571106911 CET	8081	49773	199.59.243.227	192.168.2.5
Dec 4, 2024 20:20:08.573683977 CET	8081	49820	199.59.243.227	192.168.2.5
Dec 4, 2024 20:20:08.573743105 CET	49820	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:20:08.574152946 CET	49820	8081	192.168.2.5	199.59.243.227
Dec 4, 2024 20:20:08.693994999 CET	8081	49820	199.59.243.227	192.168.2.5
Dec 4, 2024 20:20:15.090574026 CET	16681	49784	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:15.090651989 CET	49784	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:15.090756893 CET	49784	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:15.215420961 CET	16681	49784	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:18.105941057 CET	49845	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:18.225908041 CET	16681	49845	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:18.226048946 CET	49845	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:18.226457119 CET	49845	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:18.346147060 CET	16681	49845	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:40.122111082 CET	16681	49845	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:40.122210979 CET	49845	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:40.122366905 CET	49845	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:40.244112968 CET	16681	49845	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:43.137010098 CET	49902	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:43.259037971 CET	16681	49902	202.181.25.108	192.168.2.5
Dec 4, 2024 20:20:43.259217978 CET	49902	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:43.259628057 CET	49902	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:20:43.379383087 CET	16681	49902	202.181.25.108	192.168.2.5
Dec 4, 2024 20:21:05.169507980 CET	16681	49902	202.181.25.108	192.168.2.5
Dec 4, 2024 20:21:05.173269033 CET	49902	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:21:05.173404932 CET	49902	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:21:05.296973944 CET	16681	49902	202.181.25.108	192.168.2.5
Dec 4, 2024 20:21:08.245239019 CET	49951	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:21:08.366035938 CET	16681	49951	202.181.25.108	192.168.2.5
Dec 4, 2024 20:21:08.366215944 CET	49951	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:21:08.366683960 CET	49951	16681	192.168.2.5	202.181.25.108
Dec 4, 2024 20:21:08.488729000 CET	16681	49951	202.181.25.108	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 20:19:02.618626118 CET	63011	53	192.168.2.5	1.1.1.1
Dec 4, 2024 20:19:02.961721897 CET	53	63011	1.1.1.1	192.168.2.5
Dec 4, 2024 20:19:03.215176105 CET	50006	53	192.168.2.5	1.1.1.1
Dec 4, 2024 20:19:04.162785053 CET	53	50006	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 4, 2024 20:19:02.618626118 CET	192.168.2.5	1.1.1.1	0x91fa	Standard query (0)	souhu.ydns.eu	A (IP address)	IN (0x0001)	false
Dec 4, 2024 20:19:03.215176105 CET	192.168.2.5	1.1.1.1	0x107d	Standard query (0)	v8.ter.tf	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 4, 2024 20:19:02.961721897 CET	1.1.1.1	192.168.2.5	0x91fa	No error (0)	souhu.ydns.eu		202.181.25.108	A (IP address)	IN (0x0001)	false
Dec 4, 2024 20:19:04.162785053 CET	1.1.1.1	192.168.2.5	0x107d	No error (0)	v8.ter.tf	pltraffic30.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 4, 2024 20:19:04.162785053 CET	1.1.1.1	192.168.2.5	0x107d	No error (0)	pltraffic30.com	74202.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 4, 2024 20:19:04.162785053 CET	1.1.1.1	192.168.2.5	0x107d	No error (0)	74202.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:19:01
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	46'592 bytes
MD5 hash:	61FE809E805E74C4D6FC33B0E5A3305E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:19:01
Start date:	04/12/2024
Path:	C:\Windows\jmbnii.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\jmbnii.exe
Imagebase:	0x400000
File size:	46'592 bytes
MD5 hash:	61FE809E805E74C4D6FC33B0E5A3305E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.2%
Total number of Nodes:	1943
Total number of Limit Nodes:	5

Executed Functions

Function 00406903 Relevance: 46.3, APIs: 18, Strings: 8, Instructions: 783
serviceregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,i=%d, j=%d,x=%d, y=%d), ref: 00406959
LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 00406A37
GetProcAddress.KERNEL32(00000000), ref: 00406A3E
wsprintfA.USER32 ref: 00406B16
CopyFileA.KERNEL32(?,?,00000000), ref: 00406B7A
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00406C01
CreateServiceA.ADVAPI32(00000000,?,00000009,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 00406C38
LockServiceDatabase.ADVAPI32(?), ref: 00406CB6

Part of subcall function 00402673: GetTickCount.KERNEL32 ref: 00402674

ChangeServiceConfig2A.ADVAPI32(?,00000001,Pqrstu Bcdefgh Jklmnop Rstu), ref: 00406DAA
ChangeServiceConfig2A.ADVAPI32(?,00000002,00015180), ref: 00407152
UnlockServiceDatabase.ADVAPI32(?), ref: 004071C3
GetLastError.KERNEL32 ref: 00407237
OpenServiceA.ADVAPI32(?,?,000F01FF), ref: 00407252
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0040726B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0040727B
RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 0040747A
lstrlen.KERNEL32(00000006), ref: 0040759E
RegSetValueExA.KERNELBASE(00000000,Description,00000000,00000001,00000006,00000000), ref: 004075B9

Strings

x=%d, y=%d, xrefs: 00406927, 0040693D, 00406942, 0040696B, 0040697D, 00406A22, 00406A56, 00406A7D, 00406ABA, 00406B39, 00406B61, 00406B8C, 00406BB1, 00406BE0, 00406CA7, 00406D22, 00406D92, 00406E10, 00406E8B, 00406EF7, 00406F5C, 00406FD2, 00407045, 004070BB, 00407136, 004071B0, 00407221, 004073E9, 0040745A, 004074D8, 0040758E, 004075BF
Description, xrefs: 004075AC, 004075B2
i=%d, j=%d, xrefs: 00406928, 0040692F, 00406934, 00406962, 00406974, 00406A19, 00406A4D, 00406A74, 00406AB1, 00406B30, 00406B58, 00406B83, 00406BA8, 00406BD7, 00406C72, 00406CED, 00406D5D, 00406DDB, 00406E5A, 00406EC6, 00406F2B, 00406FA1, 00407014, 0040708A, 00407105, 0040717F, 004071F0, 004073B8, 00407429, 004074A7, 0040755D, 004075C4
KERNEL32.dll, xrefs: 00406A32
SYSTEM\CurrentControlSet\Services\, xrefs: 0040737E, 00407384
Pqrstu Bcdefgh Jklmnop Rstu, xrefs: 00406D28, 00406DA1
GetWindowsDirectoryA, xrefs: 00406A2B, 00406A31
%c%c%c%c%c%c.exe, xrefs: 00406B0A

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Service$Open$ChangeConfig2DatabaseFileStart$AddressCopyCountCreateErrorLastLibraryLoadLockManagerModuleNameProcTickUnlockValuelstrlenwsprintf
String ID: i=%d, j=%d$x=%d, y=%d$%c%c%c%c%c%c.exe$Description$GetWindowsDirectoryA$KERNEL32.dll$Pqrstu Bcdefgh Jklmnop Rstu$SYSTEM\CurrentControlSet\Services\
API String ID: 832154477-2699205238
Opcode ID: bedf644c4407e06064571c2419833b12b365bcd373c45df744f87781990351bf
Instruction ID: cba1d5e8264335582ecc211d4592ab60c630dd2d1c7fc02c3ed6fc99ef73f386
Opcode Fuzzy Hash: bedf644c4407e06064571c2419833b12b365bcd373c45df744f87781990351bf
Instruction Fuzzy Hash: EA7264B0C45768AEEB309F158D45BDFBE78AF05755F0040DEE24CAA282D7B90A84CF59

Function 004066B8 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 74
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000BB8), ref: 004066D9

Part of subcall function 00406903: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,i=%d, j=%d,x=%d, y=%d), ref: 00406959
Part of subcall function 00406903: LoadLibraryA.KERNEL32(KERNEL32.dll,GetWindowsDirectoryA), ref: 00406A37
Part of subcall function 00406903: GetProcAddress.KERNEL32(00000000), ref: 00406A3E

Part of subcall function 004046A2: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,i=%d, j=%d,x=%d, y=%d), ref: 004046FA
Part of subcall function 004046A2: GetTempPathA.KERNEL32(00000104,?), ref: 00404730
Part of subcall function 004046A2: GetTickCount.KERNEL32 ref: 0040474B
Part of subcall function 004046A2: wsprintfA.USER32 ref: 0040476D
Part of subcall function 004046A2: MoveFileA.KERNEL32(?,?), ref: 00404795

StartServiceCtrlDispatcherA.ADVAPI32(~BAa@), ref: 0040674B

Strings

x=%d, y=%d, xrefs: 0040670D, 00406714, 0040673E, 0040675A, 00406761, 00406789
i=%d, j=%d, xrefs: 004066FA, 00406703, 00406726, 0040677F
Pqrstu Bcdefgh Jklmnop Rstu, xrefs: 0040676C
~BAa@, xrefs: 00406747, 0040674A
Pqrs Uabcdef Hijklmnopq S, xrefs: 00406767
shutdown -s -t 5, xrefs: 004066DF
Pqrstua Cdefgh, xrefs: 00406771
5A9F769FF57B7E1E994A964B211C5F1980FC12, xrefs: 004066C3
5A9F769FF57B7E1E994A964B211C5F1980FC12, xrefs: 004066BE

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$ModuleName$AddressCountCtrlDispatcherLibraryLoadMovePathProcServiceSleepStartTempTickwsprintf
String ID: i=%d, j=%d$x=%d, y=%d$5A9F769FF57B7E1E994A964B211C5F1980FC12$5A9F769FF57B7E1E994A964B211C5F1980FC12$Pqrs Uabcdef Hijklmnopq S$Pqrstu Bcdefgh Jklmnop Rstu$Pqrstua Cdefgh$shutdown -s -t 5$~BAa@
API String ID: 795464177-2033290253
Opcode ID: 8fa4525055084a4db11bd278fa1b536cd7e5afc69807efa38a517af081efe3e7
Instruction ID: e391362c1d2b32bd6534a3dd0d8ed186557fca575c08b26e38e2494118734c25
Opcode Fuzzy Hash: 8fa4525055084a4db11bd278fa1b536cd7e5afc69807efa38a517af081efe3e7
Instruction Fuzzy Hash: 7911B131A8031975E6203AA25D03FDE22154B92B9CF11846FB641B91C3EEFD02A055AD

Function 004090F1 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00409117

Part of subcall function 0040B7DF: HeapCreate.KERNELBASE(00000000,00001000,00000000,00409150,00000000), ref: 0040B7F0
Part of subcall function 0040B7DF: HeapDestroy.KERNEL32 ref: 0040B82F

GetCommandLineA.KERNEL32 ref: 00409165
GetStartupInfoA.KERNEL32(?), ref: 00409190
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004091B3

Part of subcall function 0040920C: ExitProcess.KERNEL32 ref: 00409229

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 0ddbcbb17f5e0b16f3d1c96c9be448b476264f1ec36428be21afa5781b835fac
Instruction ID: a914df47906715faddd06c7dbbc696d45a55d543718c1a19795018abbbfeac38
Opcode Fuzzy Hash: 0ddbcbb17f5e0b16f3d1c96c9be448b476264f1ec36428be21afa5781b835fac
Instruction Fuzzy Hash: 5821A1B0D00615AEDB08AFA5DD09AAE7BB9EF45714F10413EF501AB2D1DB384840CB99

Function 0040679F Relevance: 68.4, APIs: 2, Strings: 37, Instructions: 118
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000000,00000000,000F003F,?), ref: 004068CF
RegCloseKey.ADVAPI32(?), ref: 004068DC

Strings

e, xrefs: 0040681C
t, xrefs: 00406834
o, xrefs: 0040683C
E, xrefs: 00406800
t, xrefs: 0040684C
n, xrefs: 00406830
Y, xrefs: 004067F4
\, xrefs: 00406850
v, xrefs: 00406860
l, xrefs: 00406840
r, xrefs: 00406814
x=%d, y=%d, xrefs: 004067D5, 004067DB, 00406889, 004068AF, 004068EE
i=%d, j=%d, xrefs: 004067C7, 004067CD, 00406880, 004068A6, 004068E5
T, xrefs: 004067FC
o, xrefs: 0040682C
\, xrefs: 00406874
M, xrefs: 00406804
C, xrefs: 00406828
r, xrefs: 0040685C
t, xrefs: 00406824
s, xrefs: 00406870
S, xrefs: 00406844
S, xrefs: 00406854
C, xrefs: 0040680C
i, xrefs: 00406864
\, xrefs: 00406808
e, xrefs: 0040686C
r, xrefs: 00406818
u, xrefs: 00406810
r, xrefs: 00406838
Pqrstua Cdefgh, xrefs: 00406895
e, xrefs: 00406858
c, xrefs: 00406868
n, xrefs: 00406820
S, xrefs: 004067F0
S, xrefs: 004067F8
e, xrefs: 00406848

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseOpen
String ID: i=%d, j=%d$x=%d, y=%d$C$C$E$M$Pqrstua Cdefgh$S$S$S$S$T$Y$\$\$\$c$e$e$e$e$i$l$n$n$o$o$r$r$r$r$s$t$t$t$u$v
API String ID: 47109696-855131241
Opcode ID: 68e20c3ea576ced47e659c1a445a72db15dd5ff4a55ac3331c2defc46e261548
Instruction ID: 5a8b8ad81cc7a7b9cd09d9ce3aa0b9a317c818165233db944bcc23f09ba61b28
Opcode Fuzzy Hash: 68e20c3ea576ced47e659c1a445a72db15dd5ff4a55ac3331c2defc46e261548
Instruction Fuzzy Hash: 4F415851D082CDACFB0292A48D45BEF7EA94F16748F0480D9E284792C3D7FE1B1897B6

Function 004046A2 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,i=%d, j=%d,x=%d, y=%d), ref: 004046FA
GetTempPathA.KERNEL32(00000104,?), ref: 00404730
GetTickCount.KERNEL32 ref: 0040474B
wsprintfA.USER32 ref: 0040476D
MoveFileA.KERNEL32(?,?), ref: 00404795
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004047C0
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004047D4

Strings

x=%d, y=%d, xrefs: 004046AA, 004046BF, 004046C5, 004046E9, 0040470C, 0040471E, 00404742, 0040477F, 004047AB
i=%d, j=%d, xrefs: 004046AB, 004046B1, 004046B7, 004046E0, 00404703, 00404715, 00404739, 00404776, 004047A2
%s\%x, xrefs: 00404767

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$Move$CountModuleNamePathTempTickwsprintf
String ID: i=%d, j=%d$x=%d, y=%d$%s\%x
API String ID: 783850295-864343398
Opcode ID: 047ce07ff64e95f53e9becf3953f32f345bbbeaacd8470d4296a00e82092a1c7
Instruction ID: 079ca399ce9cbf441655caa0228a602bde5066c2d4a8c7b84bd90b7f71a4834e
Opcode Fuzzy Hash: 047ce07ff64e95f53e9becf3953f32f345bbbeaacd8470d4296a00e82092a1c7
Instruction Fuzzy Hash: D331CAB154020D7AF1207B519E87FFF365CDB46B88F40882EB344F51C3EAB95A1552BA

Function 004075EE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
serviceregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseServiceHandle.ADVAPI32(00000000,004075D2), ref: 004075FD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,004075D2), ref: 00407627
RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,004075D2), ref: 00407651

Strings

x=%d, y=%d, xrefs: 0040760F, 00407639
i=%d, j=%d, xrefs: 00407606, 00407630

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Close$HandleService
String ID: i=%d, j=%d$x=%d, y=%d
API String ID: 907781861-1211302626
Opcode ID: 220bacaeea4a704c0ccd3b3204518a5997c4cd4c74b43616beae75fa1ada9aa5
Instruction ID: 19c14899926468918d6cef8270e39b205b1c46aa1ad6c9d8733eb82b87f3f4eb
Opcode Fuzzy Hash: 220bacaeea4a704c0ccd3b3204518a5997c4cd4c74b43616beae75fa1ada9aa5
Instruction Fuzzy Hash: DBF03030801214ABDB323B15DE0DBDE3A389F05755F0084BAB20D741E3DB791B90EA69

Function 00408DAD Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,00000000,00408D8B,?,00000001,00000000,0040F3A6,00000000), ref: 00408DBD
TerminateProcess.KERNEL32(00000000), ref: 00408DC4
ExitProcess.KERNEL32 ref: 00408E3E

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 31f37dfd5c0ec7c6e0c1d3b4dbd6f8f7ff1d3ae5e6f1a23487f9610a48c834a6
Instruction ID: a1b80df7e12d7ecd6f869aa964610264992441ecb268049dbeb61c048f6a3229
Opcode Fuzzy Hash: 31f37dfd5c0ec7c6e0c1d3b4dbd6f8f7ff1d3ae5e6f1a23487f9610a48c834a6
Instruction Fuzzy Hash: FB0196722042019EDA219B55FE8469A7FA4EB94350B10453FF5C4E21E0DF789880CBAD

Function 0040B7DF Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00409150,00000000), ref: 0040B7F0

Part of subcall function 0040B697: GetVersionExA.KERNEL32 ref: 0040B6B6

HeapDestroy.KERNEL32 ref: 0040B82F

Part of subcall function 0040B9B6: RtlAllocateHeap.NTDLL(00000000,00000140,0040B818), ref: 0040B9C3

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$AllocateCreateDestroyVersion
String ID:
API String ID: 760317429-0
Opcode ID: eb125955d52d05ad980d36befe066e2454155b5d6e385255e3d49973fef2bc15
Instruction ID: bd24e9e70ad1b74e5f26fe1da03c64620d16eea188c42344ac3c43ce54a7c62e
Opcode Fuzzy Hash: eb125955d52d05ad980d36befe066e2454155b5d6e385255e3d49973fef2bc15
Instruction Fuzzy Hash: 0AF065B265830199DB206B715D457AA269DD754B95F10C83BF500E82F0EFB89980D64D

Non-executed Functions

Function 00405178 Relevance: 66.9, APIs: 17, Strings: 21, Instructions: 435
registrylibrarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402E73: __EH_prolog.LIBCMT ref: 00402E78
Part of subcall function 00402E73: htons.WS2_32(00001F91), ref: 00402F1A
Part of subcall function 00402E73: socket.WS2_32(00000002,00000001,00000000), ref: 00402F5D
Part of subcall function 00402E73: connect.WS2_32(?,00000002,00000010), ref: 00402F84
Part of subcall function 00402E73: closesocket.WS2_32(?), ref: 00402F92

Part of subcall function 00402FD5: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00402FEB
Part of subcall function 00402FD5: WSAIoctl.WS2_32(0002BF20,98000004,00000001,0000000C,00000000,00000000,00000001,00000000,00000000), ref: 00403096

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 004051D0
RegQueryValueExA.ADVAPI32(?,ProductName,00000000,?,?,?), ref: 004051F2
RegCloseKey.ADVAPI32(?), ref: 004051FB
GetSystemInfo.KERNEL32(?), ref: 00405347
GetComputerNameA.KERNEL32(?,?), ref: 00405392
GetSystemDefaultUILanguage.KERNEL32 ref: 004053AD
send.WS2_32(0000000B,000000CC,00000000), ref: 0040544F
select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 0040547F
__WSAFDIsSet.WS2_32(00000001), ref: 0040549F
recv.WS2_32(?,000000C4,00000000), ref: 004054BB
GetTempPathA.KERNEL32(00000104,00000000), ref: 0040555C

Part of subcall function 00402673: GetTickCount.KERNEL32 ref: 00402674

wsprintfA.USER32 ref: 004055BE
LoadLibraryA.KERNEL32(urlmon.dll), ref: 00405606
GetProcAddress.KERNEL32(?,URLDownloadToFileA), ref: 0040562C
WinExec.KERNEL32(00000000,00000000), ref: 00405669
closesocket.WS2_32 ref: 004056B1
closesocket.WS2_32 ref: 004056BD

Strings

urlmon.dll, xrefs: 00405601
Windows 2003, xrefs: 0040526B
2003, xrefs: 00405250
Windows 2000, xrefs: 0040521F
2008, xrefs: 0040529C
Windows Vista, xrefs: 0040528F
Windows 8, xrefs: 004052F9
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004051A9
Windows NT, xrefs: 00405325
Vista, xrefs: 00405278
x=%d, y=%d, xrefs: 00405360, 00405366, 00405381, 004053A4, 004053C5, 004053E8, 004053FD, 00405431, 00405547, 0040556E, 004055E3, 004055F8, 0040561B, 00405641
Windows 7, xrefs: 004052D8
i=%d, j=%d, xrefs: 00405352, 00405358, 00405375, 0040539B, 004053B9, 004053DF, 004053F1, 00405428, 0040553E, 00405565, 004055DA, 004055EC, 0040560F, 00405635
URLDownloadToFileA, xrefs: 00405624
Windows 2008, xrefs: 004052B7
Windows 2012, xrefs: 0040531E
2000, xrefs: 00405204
Windows XP, xrefs: 00405243
ProductName, xrefs: 004051EA
2012, xrefs: 00405303
\%c%c%c%c%c.exe, xrefs: 004055B8

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: closesocket$System$AddressCloseComputerCountDefaultExecH_prologInfoIoctlLanguageLibraryLoadNameOpenPathProcQueryTempTickValueconnecthtonsrecvselectsendsetsockoptsocketwsprintf
String ID: i=%d, j=%d$x=%d, y=%d$2000$2003$2008$2012$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$URLDownloadToFileA$Vista$Windows 2000$Windows 2003$Windows 2008$Windows 2012$Windows 7$Windows 8$Windows NT$Windows Vista$Windows XP$\%c%c%c%c%c.exe$urlmon.dll
API String ID: 751268950-642500358
Opcode ID: a1b77f8743cf1b6ba5d24b315b7035596dff294fb74dde3c8d6d1611df5642d0
Instruction ID: a0c1be54b30e8db57778a8a6b5ef723af4a18605db769770b3d3167f59080fce
Opcode Fuzzy Hash: a1b77f8743cf1b6ba5d24b315b7035596dff294fb74dde3c8d6d1611df5642d0
Instruction Fuzzy Hash: 81D19171940609BAEB20ABA1DD4AFDF377CEB85704F50847FB604F51C2EABC46508A6D

Function 00404AA9 Relevance: 65.2, APIs: 35, Strings: 2, Instructions: 418
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,004030A1,?,00000000,00000000), ref: 00404B2A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,004056A3,?,?,?,000000C4), ref: 00404B31
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404B59
CreateThread.KERNEL32(00000000,00000000,Function_0000406C,?,00000000,00000000), ref: 00404B8E
CloseHandle.KERNEL32(00000000), ref: 00404B95
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404BBD
CreateThread.KERNEL32(00000000,00000000,Function_000047E7,?,00000000,00000000), ref: 00404BF2
CloseHandle.KERNEL32(00000000), ref: 00404BF5
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404C0F
CreateThread.KERNEL32(00000000,00000000,Function_000041A9,00000000,00000000,00000000), ref: 00404C2F
CloseHandle.KERNEL32(00000000), ref: 00404C36
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404C5E
CreateThread.KERNEL32(00000000,00000000,004032D1,?,00000000,00000000), ref: 00404C93
CloseHandle.KERNEL32(00000000), ref: 00404C9A
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404CC2
CreateThread.KERNEL32(00000000,00000000,Function_000026B3,?,00000000,00000000), ref: 00404CF7
CloseHandle.KERNEL32(00000000), ref: 00404CFE
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404D26
CreateThread.KERNEL32(00000000,00000000,004042B3,?,00000000,00000000), ref: 00404D5B
CloseHandle.KERNEL32(00000000), ref: 00404D62
CreateThread.KERNEL32(00000000,00000000,004043D0,?,00000000,00000000), ref: 00404D9F
CloseHandle.KERNEL32(00000000), ref: 00404DA2
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404DB5
CreateThread.KERNEL32(00000000,00000000,Function_000034E4,?,00000000,00000000), ref: 00404DEC
CloseHandle.KERNEL32(00000000), ref: 00404DF3
CreateThread.KERNEL32(00000000,00000000,Function_0000388D,?,00000000,00000000), ref: 00404E74
CloseHandle.KERNEL32(00000000), ref: 00404E7B
CreateThread.KERNEL32(00000000,00000000,Function_00003C2E,?,00000000,00000000), ref: 00404EF0
CloseHandle.KERNEL32(00000000), ref: 00404EF3
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404F06
CreateThread.KERNEL32(00000000,00000000,Function_00003471,?,00000000,00000000), ref: 00404F69

Strings

x=%d, y=%d, xrefs: 00404AAC, 00404AC1, 00404AC7, 00404AF1, 00404B43
i=%d, j=%d, xrefs: 00404AAA, 00404AB3, 00404AB9, 00404AE2, 00404B3A

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateThread$CloseHandle
String ID: i=%d, j=%d$x=%d, y=%d
API String ID: 738052048-1211302626
Opcode ID: be642960a439718b2bafd4ac865a2f717ca2561d504fee6b9b7bb2f7fbe7b8f4
Instruction ID: e06d2d7120ba2e540d0e41e5c008bd2057b7b57b1409691ba357ba26cc2fe2ff
Opcode Fuzzy Hash: be642960a439718b2bafd4ac865a2f717ca2561d504fee6b9b7bb2f7fbe7b8f4
Instruction Fuzzy Hash: E2D1B3B0105321BBC251DF22DC48DAB7E6CFF8A755F01492EF685A6192C7B89501CBF9

Function 00410C4B Relevance: 27.9, Strings: 22, Instructions: 417COMMON

Download Yara Rule

Strings

+, xrefs: 00410E40
-, xrefs: 00410D22
1, xrefs: 00410EC3
E, xrefs: 00410D35
9, xrefs: 00410D0C
0, xrefs: 00410EB9
-, xrefs: 00410E49
9, xrefs: 00410D60
0, xrefs: 00410D75
9, xrefs: 00410E98
+, xrefs: 00410D1D
9, xrefs: 00410EDC
0, xrefs: 00410D27
r|A, xrefs: 00410DA1, 00410E12, 00410E73, 00410F5C, 00410FA6
0, xrefs: 00410EEA
e, xrefs: 00410D43
1, xrefs: 00410E90
0, xrefs: 00410DEC
c, xrefs: 00410D3A
C, xrefs: 00410D2C
9, xrefs: 00410CBA
9, xrefs: 00410ECC

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e$r|A
API String ID: 0-3344251444
Opcode ID: bd0280880e8b8614f0578669a074afa243fbadc4ab0f276e24eacb07daba97d6
Instruction ID: f07466c33bc34597f4b172c9d266fd16fddb83ba62844f31d110c87da69269e0
Opcode Fuzzy Hash: bd0280880e8b8614f0578669a074afa243fbadc4ab0f276e24eacb07daba97d6
Instruction Fuzzy Hash: 2BE1E231E55259CEEB24CFA5D9567FE7BB1AB04304F28402BE401A6292D7FC99C2CB4D

Function 004089B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000012), ref: 004089C4
GetSystemTime.KERNEL32(00403CA9), ref: 004089CE
GetTimeZoneInformation.KERNEL32(?), ref: 00408A23

Strings

x=%d, y=%d, xrefs: 00408A4C

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID: x=%d, y=%d
API String ID: 2475273158-4063873591
Opcode ID: 259c1c831e97d5fbf72845641751fb639a20b83e99d6f7100b0044629b6d94b9
Instruction ID: a26e291306a1e87c9fb69ece29d7d7f305d7548aa12b92bf268cc408a1335f90
Opcode Fuzzy Hash: 259c1c831e97d5fbf72845641751fb639a20b83e99d6f7100b0044629b6d94b9
Instruction Fuzzy Hash: A1216565A00116A5CF20AB94D9046FF77B9EB44720F44452BF991F69D0EB7C8D82CB7C

Function 0040DE48 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000DE02), ref: 0040DE4D

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 480c36a6514f97d2a7d3d76f4c4892470a88d5a5cbb8308d7cc4f184d53d5b63
Instruction ID: 72987f4640873295066061d75ed557a05586d1895af15d0c133338de6dae84eb
Opcode Fuzzy Hash: 480c36a6514f97d2a7d3d76f4c4892470a88d5a5cbb8308d7cc4f184d53d5b63
Instruction Fuzzy Hash: 10A011B8A022008AC2800BA0AE0A0803EA0EA08202328803BA302882A0CBB00080CA8C

Function 0040DE5A Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040DE5F

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b3adc0f5ebc27224124c0d2694f8cda5947711cb90795d0216039d65cface39d
Instruction ID: b31e3ff5334811a3db2c6f49b3437fa79dfce3f4ef5acba7b70111df48861498
Opcode Fuzzy Hash: b3adc0f5ebc27224124c0d2694f8cda5947711cb90795d0216039d65cface39d
Instruction Fuzzy Hash:

Function 0040C207 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 417fec514f0ba7c62701d36feb5f632bd3e399edcb00eb6118dea4034da0ba6a
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 45B16E35910206DFDB15CF14C5D0AA9BBA1FF58318F24C2AEDC1A6B386C735EA46CB94

Function 004057E8 Relevance: 72.0, APIs: 9, Strings: 32, Instructions: 219
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040578B: htons.WS2_32(00000000), ref: 0040579F
Part of subcall function 0040578B: socket.WS2_32(00000002,00000001,00000000), ref: 004057BD
Part of subcall function 0040578B: connect.WS2_32(00000000,00000002,00000010), ref: 004057CC
Part of subcall function 0040578B: closesocket.WS2_32(00000000), ref: 004057D8

Part of subcall function 00402FD5: setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00402FEB
Part of subcall function 00402FD5: WSAIoctl.WS2_32(0002BF20,98000004,00000001,0000000C,00000000,00000000,00000001,00000000,00000000), ref: 00403096

Part of subcall function 004037AB: RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 00403827
Part of subcall function 004037AB: RegQueryValueExA.ADVAPI32(?,~MHz,00000000,?,?,?), ref: 0040385C
Part of subcall function 004037AB: RegCloseKey.ADVAPI32(?), ref: 0040387B

GetSystemInfo.KERNEL32(?), ref: 00405870
GetComputerNameA.KERNEL32(?,00000020), ref: 004058B8
GetSystemDefaultUILanguage.KERNEL32 ref: 004058D3
send.WS2_32(0000000B,000000CC,00000000), ref: 004059B9
select.WS2_32(00000001,?,00000000,00000000,00000000), ref: 004059EE
__WSAFDIsSet.WS2_32(00000001), ref: 00405A0E
recv.WS2_32(?,000000C4,00000000,00000001), ref: 00405A26
closesocket.WS2_32 ref: 00405A97
closesocket.WS2_32 ref: 00405AA3

Strings

t, xrefs: 0040593C
w, xrefs: 00405924
d, xrefs: 0040591C
O, xrefs: 00405854
e, xrefs: 00405934
x=%d, y=%d, xrefs: 00405889, 0040588F, 004058A7, 004058CA, 004058EB, 00405951, 00405966, 0040599A
n, xrefs: 0040582C
i=%d, j=%d, xrefs: 0040587B, 00405881, 0040589B, 004058C1, 004058DF, 00405948, 0040595A, 00405991
o, xrefs: 00405920
W, xrefs: 00405824
w, xrefs: 00405838
e, xrefs: 00405848
s, xrefs: 00405928
-, xrefs: 004058F9
o, xrefs: 00405834
t, xrefs: 00405850
n, xrefs: 00405938
TWoR, xrefs: 004058B0
i, xrefs: 00405914
R, xrefs: 00405930
F, xrefs: 004058F5
n, xrefs: 00405918
, xrefs: 0040592C
, xrefs: 00405840
i, xrefs: 00405828
s, xrefs: 0040583C
S, xrefs: 00405858
d, xrefs: 00405830
n, xrefs: 0040584C
, xrefs: 0040590C
R, xrefs: 00405844
W, xrefs: 00405910

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: closesocket$System$CloseComputerDefaultInfoIoctlLanguageNameOpenQueryValueconnecthtonsrecvselectsendsetsockoptsocket
String ID: i=%d, j=%d$x=%d, y=%d$ $ $ $ TWoR$-$F$O$R$R$S$W$W$d$d$e$e$i$i$n$n$n$n$o$o$s$s$t$t$w$w
API String ID: 2744665894-2183175534
Opcode ID: e924cf13e24849bade1f5ebd2fb7acf6814aab7920ae7f62073911bc8cee8411
Instruction ID: 5ef4ab80f4d6165f337ada50ec1a5e623477f2f7d67182f73196e52a3888a14c
Opcode Fuzzy Hash: e924cf13e24849bade1f5ebd2fb7acf6814aab7920ae7f62073911bc8cee8411
Instruction Fuzzy Hash: 3781A871C04288ADEB11E7A4CD45FEF7ABD9B02348F0481AAF144B61C2E7B94A54CB79

Function 004041A9 Relevance: 68.7, APIs: 32, Strings: 7, Instructions: 417
networkthreadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004024FF: inet_addr.WS2_32(-000003F6), ref: 00402503
Part of subcall function 004024FF: gethostbyname.WS2_32(?), ref: 00402511

Part of subcall function 00402524: socket.WS2_32(00000002,00000001,00000000), ref: 00402531
Part of subcall function 00402524: htons.WS2_32(?), ref: 0040254D
Part of subcall function 00402524: connect.WS2_32(00000000,00000002,00000010), ref: 0040255E
Part of subcall function 00402524: closesocket.WS2_32(00000000), ref: 0040256A

wsprintfA.USER32 ref: 00404236
GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 00404243
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 0040424A
send.WS2_32(00000000,?,-00000800,00000000), ref: 00404286
closesocket.WS2_32(00000000), ref: 00404289
Sleep.KERNEL32(00000005), ref: 00404291
RtlExitUserThread.NTDLL(00000000,00000000,76A958A0,00000000), ref: 004043CA
wsprintfA.USER32 ref: 0040446F
GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 0040447C
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 00404483
send.WS2_32(00000000,?,?,00000000), ref: 0040426D

Part of subcall function 00402673: GetTickCount.KERNEL32 ref: 00402674

RtlExitUserThread.NTDLL(00000000), ref: 004042AD
wsprintfA.USER32 ref: 00404353
GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 00404360
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 00404367
send.WS2_32(00000000,?,?,00000000), ref: 0040438A
send.WS2_32(00000000,?,-00000800,00000000), ref: 004043A3
closesocket.WS2_32(00000000), ref: 004043A6
Sleep.KERNEL32(00000005), ref: 004043AE
send.WS2_32(?,?,00000000,00000000), ref: 004044AF
recv.WS2_32(?,?,00007FF8,00000000), ref: 004044BC
send.WS2_32(?,?,-00000800,00000000), ref: 004044DA
send.WS2_32(?,?,00007FF8,00000000), ref: 004044E7
closesocket.WS2_32(?), ref: 004044EA
Sleep.KERNEL32(00000005), ref: 004044F2
RtlExitUserThread.NTDLL(00000000,000000C4,000000C4,00000000,76A958A0,00000000), ref: 004044FE
InternetOpenA.WININET(User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0),00000000,00000000,00000000,00000000), ref: 004045E8
InternetOpenUrlA.WININET(?,?,?,?,84000100,00000000), ref: 00404627
InternetReadFile.WININET(?,?,00001000,?), ref: 00404647
InternetCloseHandle.WININET(?), ref: 00404663
InternetCloseHandle.WININET(?), ref: 0040467E
RtlExitUserThread.NTDLL(00000000), ref: 0040469C

Strings

Cache-Control: no-cacheReferer: http://www.baidu.com, xrefs: 004045A3
x=%d, y=%d, xrefs: 00404566, 0040456C, 0040457E, 00404597, 00404602, 00404671
Head %s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50Range: bytes=0-18446744073709551615Referer: , xrefs: 00404230
i=%d, j=%d, xrefs: 00404558, 0040455E, 00404575, 0040458E, 004045F9, 00404668
User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0), xrefs: 004045E3
POST %s HTTP/1.1Accept: */*Accept-Language: zh-CNAccept-Encoding: gzip, deflateUser-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11Host: %s, xrefs: 00404469
GET %s HTTP/1.1Connection: Keep-AliveAccept: text/html, */*Accept-Language: zh-CNUser-Agent: %sReferer: %sHost: %s, xrefs: 0040434D

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: send$Process$Internet$ExitThreadUserclosesocket$CurrentSizeSleepWorkingwsprintf$CloseHandleOpen$CountFileReadTickconnectgethostbynamehtonsinet_addrrecvsocket
String ID: i=%d, j=%d$x=%d, y=%d$Cache-Control: no-cacheReferer: http://www.baidu.com$GET %s HTTP/1.1Connection: Keep-AliveAccept: text/html, */*Accept-Language: zh-CNUser-Agent: %sReferer: %sHost: %s$Head %s HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50Range: bytes=0-18446744073709551615Referer: $POST %s HTTP/1.1Accept: */*Accept-Language: zh-CNAccept-Encoding: gzip, deflateUser-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11Host: %s$User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
API String ID: 3872357285-2120180902
Opcode ID: 37876d8b08dfe017e4c0d06899240cc4571484ec18f537bc37ade032d386be3b
Instruction ID: e6a72a96232520c85c5ba0d2c9ae1978a39496664e9286b5dadd943091728e1f
Opcode Fuzzy Hash: 37876d8b08dfe017e4c0d06899240cc4571484ec18f537bc37ade032d386be3b
Instruction Fuzzy Hash: 53D1E472900218BBEB10ABA1DD45FDB7BBCEB45314F10457EF344E21C1DE789A948BA9

Function 004026B3 Relevance: 60.0, APIs: 16, Strings: 18, Instructions: 498
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00402702
WSAStartup.WS2_32(00000102,?), ref: 00402770
WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 004027B1
WSAGetLastError.WS2_32 ref: 004027D5
setsockopt.WS2_32(000000FF,00000000,00000002,00000001,00000004), ref: 0040280D
setsockopt.WS2_32(000000FF,0000FFFF,00001005,?,00000004), ref: 00402838
htons.WS2_32(00000028), ref: 0040295A
inet_addr.WS2_32(?), ref: 00402982
htons.WS2_32 ref: 00402A07
htons.WS2_32(?), ref: 00402A1A
htonl.WS2_32(28376839), ref: 00402A2C
htons.WS2_32(00004000), ref: 00402A52
htons.WS2_32(00000014), ref: 00402AF5
inet_addr.WS2_32(?), ref: 00402C64
htonl.WS2_32(?), ref: 00402C79
sendto.WS2_32(000000FF,?,?,00000000,?,00000010), ref: 00402E1C

Part of subcall function 00402E53: closesocket.WS2_32(000000FF), ref: 00402E5C
Part of subcall function 00402E53: WSACleanup.WS2_32 ref: 00402E62
Part of subcall function 00402E53: Sleep.KERNEL32(00000000), ref: 00402E70

Strings

., xrefs: 00402BB8
d, xrefs: 00402B9C
Set IP_HDRINCL Error!, xrefs: 00402814
., xrefs: 00402BCD
., xrefs: 00402BA3
%, xrefs: 00402BD4
d, xrefs: 00402BB1
%, xrefs: 00402B95
E, xrefs: 004028EF
x=%d, y=%d, xrefs: 00402744, 00402749, 0040275B, 00402799, 004027C6, 004028E5, 0040294B, 004029EC, 00402AC7, 00402B5A, 00402CEE, 00402D92
i=%d, j=%d, xrefs: 00402736, 0040273B, 00402752, 00402790, 004027BD, 004028B4, 0040291A, 004029BB, 00402A96, 00402B29, 00402CBD, 00402D5E
%, xrefs: 00402BAA
d, xrefs: 00402BC6
P, xrefs: 00402A3F
WSAStartup failed: %d, xrefs: 0040277B
WSASocket() failed: %d, xrefs: 004027DC
d, xrefs: 00402BDB
%, xrefs: 00402BBF

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: htons$Startuphtonlinet_addrsetsockopt$CleanupErrorLastSleepSocketclosesocketsendto
String ID: i=%d, j=%d$x=%d, y=%d$%$%$%$%$.$.$.$E$P$Set IP_HDRINCL Error!$WSASocket() failed: %d$WSAStartup failed: %d$d$d$d$d
API String ID: 1145750529-1422214691
Opcode ID: eec8bb190fa8ad50a1ae3856e13a6145ed26624f05fcc6f9a9b466bc7aab50e5
Instruction ID: 122587cfeeed4bfb32f6449c2658a1ac5cc9d53b7ccd8847bfbb94d4e5865164
Opcode Fuzzy Hash: eec8bb190fa8ad50a1ae3856e13a6145ed26624f05fcc6f9a9b466bc7aab50e5
Instruction Fuzzy Hash: E4123FB1D40618AEEB209F55DD45FEEBAB9AB44704F1041EAF688F62C1D7F40AC08F65

Function 00403C2E Relevance: 47.6, APIs: 17, Strings: 10, Instructions: 360networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00403C7C
__ftol.LIBCMT ref: 00403CCC
socket.WS2_32(00000002,00000003,00000000), ref: 00403D42

Strings

x=%d, y=%d, xrefs: 00403C61, 00403C67, 00403C9C, 00403CE0, 00403CF5, 00403D07, 00403D33, 00403D66, 00403DAE, 00403E06, 00403E40, 00403EAE, 00403F0A, 00403F3D, 00403F63, 00403F9E, 00403FF5, 0040401B
i=%d, j=%d, xrefs: 00403C53, 00403C59, 00403C93, 00403CD4, 00403CE9, 00403CFE, 00403D2A, 00403D5D, 00403D9D, 00403DF9, 00403E33, 00403EA1, 00403EFC, 00403F2F, 00403F59, 00403F90, 00403FE7, 00404011
P, xrefs: 00403EE4
192.168.1.32, xrefs: 00403E70
sock err!, xrefs: 00403D50
E, xrefs: 00403E60
opt err!, xrefs: 00403D8F
time err!, xrefs: 00403DD1
InitWSAStartup Error!, xrefs: 00403C86
Send err!, xrefs: 00404058

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Startup__ftolsocket
String ID: i=%d, j=%d$x=%d, y=%d$192.168.1.32$E$InitWSAStartup Error!$P$Send err!$opt err!$sock err!$time err!
API String ID: 883726353-868327508
Opcode ID: 0bdaadff49c560ab287577ed21e3645730c3b2ddf8d5989770a0f03fe2a47b13
Instruction ID: 609296a8d170a5903be276590d814d28a62098b7731c51efac33e534418bfd0a
Opcode Fuzzy Hash: 0bdaadff49c560ab287577ed21e3645730c3b2ddf8d5989770a0f03fe2a47b13
Instruction Fuzzy Hash: 16C18471E40309B5EB20BBA1DD46FCF767CAF46748F00846BB704B91C3EAB8465497A9

Function 004030A1 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 338networksleepthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 004030F2
htons.WS2_32(?), ref: 00403136

Part of subcall function 004024FF: inet_addr.WS2_32(-000003F6), ref: 00402503
Part of subcall function 004024FF: gethostbyname.WS2_32(?), ref: 00402511

socket.WS2_32(00000002,00000001,00000006), ref: 00403179
connect.WS2_32(00000000,?,00000010), ref: 0040318B
closesocket.WS2_32(?), ref: 0040319A
socket.WS2_32(00000002,00000001,00000000), ref: 004031B5
setsockopt.WS2_32(00000000,0000FFFF,00001001,00000000,00000004), ref: 004031D2
GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 00403242
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 00403249
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 0040327C
closesocket.WS2_32(?), ref: 0040329A
Sleep.KERNEL32(00000032), ref: 004032A2
closesocket.WS2_32(?), ref: 004032C3
RtlExitUserThread.NTDLL(00000000), ref: 004032CB

Strings

x=%d, y=%d, xrefs: 004030D4, 004030DC, 00403103, 00403129, 0040314C, 0040316B, 004031E3, 004031F4, 0040325A, 0040328D, 004032D9, 00403304, 0040330A, 00403332, 00403376, 00403396, 004033C2, 004033E2
i=%d, j=%d, xrefs: 004030C6, 004030CC, 004030FB, 0040311A, 0040313F, 0040315F, 004031DB, 004031EC, 00403252, 00403285, 004032DA, 004032F6, 004032FC, 00403329, 0040336D, 0040338D, 004033B9, 004033D5

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: closesocket$Processsocket$CurrentExitSizeSleepStartupThreadUserWorkingconnectgethostbynamehtonsinet_addrsendtosetsockopt
String ID: i=%d, j=%d$x=%d, y=%d
API String ID: 935443681-1211302626
Opcode ID: ea722d465ac30998e37fa1903b4a8698177763ad164399321eaacc8903076aa2
Instruction ID: 5ff41e15fb5514619c84d1fa372a95beef608028e0ea2f82b17d9a5e752177af
Opcode Fuzzy Hash: ea722d465ac30998e37fa1903b4a8698177763ad164399321eaacc8903076aa2
Instruction Fuzzy Hash: 22A1E6715443087EE210BB61DD86FAF76ACDF4678CF00883EF344B51D2EAB94A14567A

Function 0040388D Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 319networksleepCOMMON

Download Yara Rule

APIs

WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 00403934
setsockopt.WS2_32(?,00000000,00000002,?,00000004), ref: 0040396F
setsockopt.WS2_32(?,0000FFFF,00001005,?,00000004), ref: 004039AD
inet_addr.WS2_32(?), ref: 004039E9
htons.WS2_32(00000028), ref: 00403A17
inet_addr.WS2_32(?), ref: 00403A46
inet_addr.WS2_32(?), ref: 00403A56
htons.WS2_32 ref: 00403A85
htons.WS2_32(?), ref: 00403A91
htonl.WS2_32 ref: 00403AA6
htons.WS2_32(00000200), ref: 00403AC0
htons.WS2_32(00000014), ref: 00403AFD
sendto.WS2_32(?,?,00000028,00000000,00000002,00000010), ref: 00403C0C
Sleep.KERNEL32(00000005), ref: 00403C14

Strings

192.168.1.244, xrefs: 004038F3
x=%d, y=%d, xrefs: 004038AC, 004038B2, 004038D8, 004038ED, 0040391C, 00403952, 0040398A, 004039C8, 004039FE, 00403A6D, 00403ADE, 00403B12, 00403B5D, 00403BB8
i=%d, j=%d, xrefs: 0040389D, 004038A4, 004038CF, 004038E1, 0040390D, 00403913, 00403949, 00403981, 004039BF, 004039F2, 00403A60, 00403AD0, 00403B09, 00403B4D, 00403BAC
P, xrefs: 00403AB8
@, xrefs: 00403A23
E, xrefs: 00403A11

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: htons$inet_addr$setsockopt$SleepSockethtonlsendto
String ID: i=%d, j=%d$x=%d, y=%d$192.168.1.244$@$E$P
API String ID: 36144736-1487764589
Opcode ID: 46a231499d66145d66ed821992d9e5af34a12e45b2211e1b07509bededb92242
Instruction ID: 00aa11e259d23037aba279591c3284fd8a326c31415f7970f7d253e3be644c7e
Opcode Fuzzy Hash: 46a231499d66145d66ed821992d9e5af34a12e45b2211e1b07509bededb92242
Instruction Fuzzy Hash: 9AA18371D40348B5EB21EBA1CD4AFDF767C9F46704F00846EB705BA1C3EAB84A5487A9

Function 004034E4 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 239networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00402673: GetTickCount.KERNEL32 ref: 00402674

Part of subcall function 004024FF: inet_addr.WS2_32(-000003F6), ref: 00402503
Part of subcall function 004024FF: gethostbyname.WS2_32(?), ref: 00402511

htons.WS2_32(?), ref: 004035B1
WSASocketA.WS2_32(00000002,00000003,000000FF,00000000,00000000,00000001), ref: 004035DF
wsprintfA.USER32 ref: 0040367C
htons.WS2_32(0000041C), ref: 00403692
inet_addr.WS2_32(00000000), ref: 004036B6
htons.WS2_32 ref: 004036F4
htons.WS2_32(?), ref: 00403704
htons.WS2_32(00000408), ref: 00403713
sendto.WS2_32(?,00000000,0000041C,00000000,00000002,00000010), ref: 00403786
Sleep.KERNEL32(0000000A), ref: 00403797

Strings

x=%d, y=%d, xrefs: 00403515, 0040351C, 0040357B, 00403593, 004035C7, 004035FD, 00403621, 004036DC, 00403766
i=%d, j=%d, xrefs: 00403506, 00403572, 00403584, 004035BA, 004035F4, 00403616, 004036CF, 00403758
E, xrefs: 00403689
%d.%d.%d.%d, xrefs: 00403676

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: htons$inet_addr$CountSleepSocketTickgethostbynamesendtowsprintf
String ID: i=%d, j=%d$x=%d, y=%d$%d.%d.%d.%d$E
API String ID: 2874787628-3460710964
Opcode ID: 8e9391ae41fa05df511794d0f028da3b2820d6fe1642b09b896ad6e47e87aa21
Instruction ID: ff3fab104711aeb6231fa6f38e4c13636c2264ce283ade5ee7ce96aa1f58c3ae
Opcode Fuzzy Hash: 8e9391ae41fa05df511794d0f028da3b2820d6fe1642b09b896ad6e47e87aa21
Instruction Fuzzy Hash: 0571B675A4020976EB20ABB1CD46FEF76399F85704F00847EB341B91C2EEB84A509769

Function 004061EA Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185sleepthreadregistryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Pqrstua Cdefgh,00406412), ref: 004061FE
SetServiceStatus.ADVAPI32(00418508), ref: 004062DD
Sleep.KERNEL32(000001F4), ref: 00406303
SetServiceStatus.ADVAPI32(00418508), ref: 00406332
WSAStartup.WS2_32(00000202,?), ref: 00406356
CreateThread.KERNEL32(00000000,00000000,Function_000056C8,00000000,00000000,00000000), ref: 0040637C
CreateThread.KERNEL32(00000000,00000000,00405B0E,00000000,00000000,00000000), ref: 0040638E
WaitForSingleObject.KERNEL32(000000FF), ref: 004063B5
CloseHandle.KERNEL32 ref: 004063D5
closesocket.WS2_32 ref: 004063E1
Sleep.KERNEL32(00000BB8), ref: 00406407

Strings

x=%d, y=%d, xrefs: 0040621C, 00406224, 0040623F, 0040625A, 00406275, 00406290, 004062AB, 004062C9, 004062F5, 0040631E, 00406343, 00406367, 004063A4, 004063C6, 004063F9
i=%d, j=%d, xrefs: 00406209, 0040620F, 0040622D, 00406248, 0040626D, 0040627E, 00406299, 004062C1, 004062ED, 0040630C, 0040633B, 0040635F, 00406397, 004063BE, 004063F1
Pqrstua Cdefgh, xrefs: 004061F9

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Service$CreateSleepStatusThread$CloseCtrlHandleHandlerObjectRegisterSingleStartupWaitclosesocket
String ID: i=%d, j=%d$x=%d, y=%d$Pqrstua Cdefgh
API String ID: 2296132945-2841422515
Opcode ID: 3492d6bbd68280e26ae5ed08855f20f88fa0e78dee612d5d7f4a7ce09bdbfaf8
Instruction ID: a99f8aabad0be4ff45e753892dd9d25af12037b68c92d2ce4d89189b7607c7d3
Opcode Fuzzy Hash: 3492d6bbd68280e26ae5ed08855f20f88fa0e78dee612d5d7f4a7ce09bdbfaf8
Instruction Fuzzy Hash: 7D51DBB15402097EE2013B22AE46FBF3A6DDB1678DF01C52EB644B42D3EEB91E1145BD

Function 00404945 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 117networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040494A
htons.WS2_32(00004129), ref: 004049EE

Part of subcall function 004024FF: inet_addr.WS2_32(-000003F6), ref: 00402503
Part of subcall function 004024FF: gethostbyname.WS2_32(?), ref: 00402511

socket.WS2_32(00000002,00000001,00000000), ref: 00404A31
connect.WS2_32(?,00000002,00000010), ref: 00404A58
closesocket.WS2_32(?), ref: 00404A66

Strings

x=%d, y=%d, xrefs: 004049D8, 004049DE, 00404A04, 00404A22, 00404A46, 00404A7D
i=%d, j=%d, xrefs: 004049C4, 004049CA, 004049F7, 00404A16, 00404A3A, 00404A74
(, xrefs: 00404972
O, xrefs: 0040499A
6CA26E9A8ACEE7A9B937983B193CAA6A, xrefs: 004049AF
~, xrefs: 00404966
+, xrefs: 00404962
<, xrefs: 0040499E

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prologclosesocketconnectgethostbynamehtonsinet_addrsocket
String ID: i=%d, j=%d$x=%d, y=%d$($+$6CA26E9A8ACEE7A9B937983B193CAA6A$<$O$~
API String ID: 3150497368-2680386479
Opcode ID: 4b012d22926e35a2a64fd35ee53fd38b5aea9da97c5693f4783a8255bfdfa46b
Instruction ID: efc398db915a4811f6cbee3194b71a852a5cebab8de0b1a7b577a4a55ce8fa8d
Opcode Fuzzy Hash: 4b012d22926e35a2a64fd35ee53fd38b5aea9da97c5693f4783a8255bfdfa46b
Instruction Fuzzy Hash: F3410B70D0024DA9EB11A7A99D4AFEEBB3C9F12358F00426EF150762D3D7B80A0197B9

Function 00402E73 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 116networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402E78
htons.WS2_32(00001F91), ref: 00402F1A

Part of subcall function 004024FF: inet_addr.WS2_32(-000003F6), ref: 00402503
Part of subcall function 004024FF: gethostbyname.WS2_32(?), ref: 00402511

socket.WS2_32(00000002,00000001,00000000), ref: 00402F5D
connect.WS2_32(?,00000002,00000010), ref: 00402F84
closesocket.WS2_32(?), ref: 00402F92

Strings

x=%d, y=%d, xrefs: 00402F06, 00402F0C, 00402F30, 00402F4E, 00402F72, 00402FA9
i=%d, j=%d, xrefs: 00402EF2, 00402EF8, 00402F23, 00402F42, 00402F66, 00402FA0
~, xrefs: 00402E94
<, xrefs: 00402ECC
(, xrefs: 00402EA0
O, xrefs: 00402EC8
+, xrefs: 00402E90
5A9F769FF57B7E1E994A964B211C5F1980FC12, xrefs: 00402EDD

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: H_prologclosesocketconnectgethostbynamehtonsinet_addrsocket
String ID: i=%d, j=%d$x=%d, y=%d$($+$5A9F769FF57B7E1E994A964B211C5F1980FC12$<$O$~
API String ID: 3150497368-1907008454
Opcode ID: 2c8e05d61d474977845eadf3a6ac738190a3e7e4f66d435699b0b2a917198aa9
Instruction ID: a4b5eaa42d208ed5cb154f17fbedc59bd05dc571b201ff25960e750dbf8f8340
Opcode Fuzzy Hash: 2c8e05d61d474977845eadf3a6ac738190a3e7e4f66d435699b0b2a917198aa9
Instruction Fuzzy Hash: E241FD30D0424DB9EB11B7A99D45FEEBB385F12358F00426EF150761D3D7B80A0197B9

Function 00406412 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 220sleepCOMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00418508), ref: 004064A2
Sleep.KERNEL32(000001F4), ref: 004064BE
SetServiceStatus.ADVAPI32(00418508), ref: 00406516
Sleep.KERNEL32(000001F4), ref: 00406532
SetServiceStatus.ADVAPI32(00418508), ref: 004065C9
Sleep.KERNEL32(000001F4), ref: 004065E5
SetServiceStatus.ADVAPI32(00418508), ref: 00406635
Sleep.KERNEL32(000001F4), ref: 00406651
SetServiceStatus.ADVAPI32(00418508), ref: 004066AF

Strings

x=%d, y=%d, xrefs: 00406429, 00406456, 00406472, 0040648E, 004064B0, 004064DC, 004064F8, 00406524, 00406544, 0040655D, 00406581, 0040659D, 004065B5, 004065D7, 00406617, 00406643, 00406663, 0040667C, 0040669B
i=%d, j=%d, xrefs: 00406424, 0040644D, 0040645F, 0040647B, 004064A7, 004064D3, 004064E5, 0040651B, 0040653B, 00406554, 00406578, 0040658A, 004065A6, 004065CE, 00406604, 0040663A, 0040665A, 00406673, 00406692

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ServiceStatus$Sleep
String ID: i=%d, j=%d$x=%d, y=%d
API String ID: 4108286180-1211302626
Opcode ID: d4917e07c9ea4d00a99fdc1bd992a337d36b1d803616f317da748a5cdbd78b86
Instruction ID: 6ec6f814e4218cb82c6a6af5bb67cd6d81b18e39341711e23d75ced4529739d1
Opcode Fuzzy Hash: d4917e07c9ea4d00a99fdc1bd992a337d36b1d803616f317da748a5cdbd78b86
Instruction Fuzzy Hash: CC51DAB05802097AF2113B129E47FBF261DDB12B8DF41C42EB244342D3EEBD0E1169AE

Function 004047E7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110networksleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 004024FF: inet_addr.WS2_32(-000003F6), ref: 00402503
Part of subcall function 004024FF: gethostbyname.WS2_32(?), ref: 00402511

Part of subcall function 00402524: socket.WS2_32(00000002,00000001,00000000), ref: 00402531
Part of subcall function 00402524: htons.WS2_32(?), ref: 0040254D
Part of subcall function 00402524: connect.WS2_32(00000000,00000002,00000010), ref: 0040255E
Part of subcall function 00402524: closesocket.WS2_32(00000000), ref: 0040256A

wsprintfA.USER32 ref: 004048A6
GetCurrentProcess.KERNEL32(000000FF,000000FF), ref: 004048B3
SetProcessWorkingSetSize.KERNEL32(00000000), ref: 004048BA
send.WS2_32(00000000,?,?,00000000), ref: 004048DE
recv.WS2_32(00000000,?,00007FF8,00000000), ref: 004048EB

Part of subcall function 00402673: GetTickCount.KERNEL32 ref: 00402674

send.WS2_32(00000000,?,-00000800,00000000), ref: 00404909
send.WS2_32(00000000,?,00007FF8,00000000), ref: 00404916
closesocket.WS2_32(00000000), ref: 00404919
Sleep.KERNEL32(00000005), ref: 00404921
RtlExitUserThread.NTDLL(00000000), ref: 0040493F

Strings

GET %s HTTP/1.1Accept: */*Accept-Language: zh-CNAccept-Encoding: gzip, deflateUser-Agent: %sHost: %s, xrefs: 004048A0

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: send$Processclosesocket$CountCurrentExitSizeSleepThreadTickUserWorkingconnectgethostbynamehtonsinet_addrrecvsocketwsprintf
String ID: GET %s HTTP/1.1Accept: */*Accept-Language: zh-CNAccept-Encoding: gzip, deflateUser-Agent: %sHost: %s
API String ID: 2798269228-2160938302
Opcode ID: 9aa690ae6986a2b34c22f1b89080174cededd6eb31737ced7f75f3164fcca912
Instruction ID: f51822f240692a8053a50dfcca2b5274b2881f1df9f2e502570dc293d19dfa8c
Opcode Fuzzy Hash: 9aa690ae6986a2b34c22f1b89080174cededd6eb31737ced7f75f3164fcca912
Instruction Fuzzy Hash: AA31C772900218BAEB1097A0DD09FDB3BBCEB44315F1484BAF349E21D1DEB85994CB68

Function 00404FCF Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 143sleepthreadnetworkCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 00404FE0
__ftol.LIBCMT ref: 00405092
send.WS2_32(?,00000018,00000000), ref: 00405139
Sleep.KERNEL32(000007D0), ref: 00405144

Strings

x=%d, y=%d, xrefs: 00404FFD, 00405003, 0040501A, 0040503E, 00405060, 00405085, 004050D1, 004050E2, 004050FE, 00405121
i=%d, j=%d, xrefs: 00404FEF, 00404FF5, 00405011, 00405035, 00405057, 0040507C, 004050C8, 004050D9, 004050F5, 00405118
<"A, xrefs: 00405027, 0040506D
%.fKb/bps|%d%%, xrefs: 004050B4

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExitSleepThreadUser__ftolsend
String ID: i=%d, j=%d$x=%d, y=%d$%.fKb/bps|%d%%$<"A
API String ID: 3795447664-4135614110
Opcode ID: def9b406ce94f3547b86fee9e8351b54c03e5989298be342786e6876818ce93c
Instruction ID: fce1e63cbed6aa965e48371db96df29c319fb4f61bdf8efcd5726da3c26e7147
Opcode Fuzzy Hash: def9b406ce94f3547b86fee9e8351b54c03e5989298be342786e6876818ce93c
Instruction Fuzzy Hash: 65418F7154430977D2207A22DE46F9F7A5CDB8678CF01882EB284741C3EE7DA614557E

Function 0040C91F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00002020,([A), ref: 0040C940
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000006,0040CDEB,?,00000010,00001000,?,?,?,004090CC,00000010,00000006), ref: 0040C964
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000006,0040CDEB,?,00000010,00001000,?,?,?,004090CC,00000010,00000006), ref: 0040C97E
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000006,0040CDEB,?,00000010,00001000,?,?,?,004090CC,00000010,00000006,00409061), ref: 0040CA3F
HeapFree.KERNEL32(00000000,00000000,?,00000006,0040CDEB,?,00000010,00001000,?,?,?,004090CC,00000010,00000006,00409061,000000E0), ref: 0040CA56

Strings

([A, xrefs: 0040CA45
([A, xrefs: 0040C99F, 0040C9A8, 0040C9B1, 0040C9B9
([A, xrefs: 0040C928, 0040C929, 0040C92C, 0040C988, 0040C991, 0040C99A

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Virtual$AllocFreeHeap$Allocate
String ID: ([A$([A$([A
API String ID: 3000792370-485227959
Opcode ID: 252b16199caaf8274c0e25629e63689a58a963f495be8733396297ec650dcf69
Instruction ID: 7b0a2b5b307234bdbadda4f9c2d3330fd6d99f44db996a2e4a864c51ef13add5
Opcode Fuzzy Hash: 252b16199caaf8274c0e25629e63689a58a963f495be8733396297ec650dcf69
Instruction Fuzzy Hash: B03190B1644B05EBD320DF28EC85BA6B7E4EB88764F10863AF155A72D0D778B841CB5C

Function 0040D7C8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040D835
GetStdHandle.KERNEL32(000000F4,00412680,00000000,?,00000000,00000000), ref: 0040D90B
WriteFile.KERNEL32(00000000), ref: 0040D912

Strings

Runtime Error!Program: , xrefs: 0040D89B
Microsoft Visual C++ Runtime Library, xrefs: 0040D8E1
..., xrefs: 0040D887
<program name unknown>, xrefs: 0040D845
h|A, xrefs: 0040D7E3

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $h|A
API String ID: 3784150691-368981224
Opcode ID: ccd0fe01459f5b1dd4ebe9b5a8f9e6c50729a013afc6f5346dda6e99f3b91060
Instruction ID: ac55a3e8249a1377cf40e28000151495e3142391508d49b7d01a91de537b8c2b
Opcode Fuzzy Hash: ccd0fe01459f5b1dd4ebe9b5a8f9e6c50729a013afc6f5346dda6e99f3b91060
Instruction Fuzzy Hash: FE31B672A402186FDF24A6A0CD45FDA737CEB45304F10447BF584F61C0EAB8A9958B5D

Function 0040406C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0040409B
WSASocketA.WS2_32(00000002,00000003,00000001,00000000,00000000,00000001), ref: 004040B4
setsockopt.WS2_32(00000000,0000FFFF,00001005,000007D0,00000004), ref: 004040D6

Part of subcall function 0040260A: inet_addr.WS2_32(?), ref: 0040260E
Part of subcall function 0040260A: gethostbyname.WS2_32(?), ref: 0040261C

GetCurrentProcessId.KERNEL32 ref: 0040411C
GetTickCount.KERNEL32 ref: 00404134
sendto.WS2_32(00000000,?,00000A0C,00000000,00000002,00000010), ref: 0040418F

Strings

x=%d, y=%d, xrefs: 004040F7
i=%d, j=%d, xrefs: 004040E9

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountCurrentProcessSocketStartupTickgethostbynameinet_addrsendtosetsockopt
String ID: i=%d, j=%d$x=%d, y=%d
API String ID: 4249112871-1211302626
Opcode ID: 71166620b8b2b3b2ecf5e1185ce500726798df821d8ee257901f96bcb555e8e5
Instruction ID: 7a4882cfce9c5744c9e02238466cac80428c1bbd5b5c6985cd86dd2067699eab
Opcode Fuzzy Hash: 71166620b8b2b3b2ecf5e1185ce500726798df821d8ee257901f96bcb555e8e5
Instruction Fuzzy Hash: F731A871D40308BAEB109BA0DC8AFDE777CAF44704F04827AB704FA1D1E6B84A958B59

Function 0040FE3F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0040D8EC,?,Microsoft Visual C++ Runtime Library,00012010,?,00412680,?,004126D0,?,?,?,Runtime Error!Program: ), ref: 0040FE51
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040FE69
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040FE7A
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040FE87

Strings

user32.dll, xrefs: 0040FE4C
GetLastActivePopup, xrefs: 0040FE7C
GetActiveWindow, xrefs: 0040FE74
MessageBoxA, xrefs: 0040FE63

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: d150db50f78dfc102a092fe40f8293f28b5d5c76099d9b9d1354dc74e3cc7e44
Instruction ID: 8d721dd4b18d8c0ca37389efd140cfbf6b9c78442df3676d4f790523ac0be05e
Opcode Fuzzy Hash: d150db50f78dfc102a092fe40f8293f28b5d5c76099d9b9d1354dc74e3cc7e44
Instruction Fuzzy Hash: 76017531700301AFC721AFB9DD80AA77AE99B88751344443FF208D25E1DB788856CB98

Function 00411417 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00412790,00000001,00412790,00000001,00000000,022F0C5C,0040A9AC,0040E249,0041274C,?,00000006,?,-00000763), ref: 00411455
CompareStringA.KERNEL32(00000000,00000000,0041278C,00000001,0041278C,00000001,?,-00000763,?,0040E21A), ref: 00411472
CompareStringA.KERNEL32(?,00000006,00000000,0040E21A,?,-00000763,00000000,022F0C5C,0040A9AC,0040E249,0041274C,?,00000006,?,-00000763), ref: 004114D0
GetCPInfo.KERNEL32(?,00000000,00000000,022F0C5C,0040A9AC,0040E249,0041274C,?,00000006,?,-00000763,?,0040E21A), ref: 00411521
MultiByteToWideChar.KERNEL32(?,00000009,00000000,-00000763,00000000,00000000,?,-00000763,?,0040E21A), ref: 004115A0
MultiByteToWideChar.KERNEL32(?,00000001,00000000,-00000763,-00000763,-00000763,?,-00000763,?,0040E21A), ref: 00411601
MultiByteToWideChar.KERNEL32(?,00000009,?,-00000763,00000000,00000000,?,-00000763,?,0040E21A), ref: 00411614
MultiByteToWideChar.KERNEL32(?,00000001,?,-00000763,?,00000000,?,-00000763,?,0040E21A), ref: 00411660
CompareStringW.KERNEL32(?,00000006,00000000,-00000763,?,00000000,?,00000000,?,-00000763,?,0040E21A), ref: 00411678

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 397cf858c76ae87a9a7cdfd633a7a1cb99afb3ab274040c32c7cae97fcb58827
Instruction ID: 4d2159ab60f9fe132ad55b696941b9c0592fc9716a7839075d275dfc0cb19f96
Opcode Fuzzy Hash: 397cf858c76ae87a9a7cdfd633a7a1cb99afb3ab274040c32c7cae97fcb58827
Instruction Fuzzy Hash: EC719F71900249BFCF219F948D85AEF7FB6EB45354F14412BF652A2270C33A8C91DB99

Function 0041085B Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00412790,00000001,00000000,00000000,00000103,00000001,00000000,?,0040F852,00200020,00000000,?,00000000,00000000), ref: 0041089D
LCMapStringA.KERNEL32(00000000,00000100,0041278C,00000001,00000000,00000000,?,0040F852,00200020,00000000,?,00000000,00000000,00000001), ref: 004108B9
LCMapStringA.KERNEL32(00000000,?,00000000,00200020,0040F852,?,00000103,00000001,00000000,?,0040F852,00200020,00000000,?,00000000,00000000), ref: 00410902
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,0040F852,00200020,00000000,?,00000000,00000000), ref: 0041093A
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,0040F852,00200020,00000000,?,00000000), ref: 00410992
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,0040F852,00200020,00000000,?,00000000), ref: 004109A8
LCMapStringW.KERNEL32(00000000,?,0040F852,00000000,0040F852,?,?,0040F852,00200020,00000000,?,00000000), ref: 004109DB
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,0040F852,00200020,00000000,?,00000000), ref: 00410A43

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 514ab8969e687360577d9c632c158a04f3703579f891091b295ca71342501e57
Instruction ID: acbc3e326724620e619a247532405582c45e597d0560062ee2bc9d9a6f078926
Opcode Fuzzy Hash: 514ab8969e687360577d9c632c158a04f3703579f891091b295ca71342501e57
Instruction Fuzzy Hash: C5518C71500209EFDF219F95CD45AEF7FB5FB48750F10822AF910A1260C3BA8CA1DBA9

Function 004037AB Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 00403827
RegQueryValueExA.ADVAPI32(?,~MHz,00000000,?,?,?), ref: 0040385C
RegCloseKey.ADVAPI32(?), ref: 0040387B

Strings

x=%d, y=%d, xrefs: 004037C5, 004037CB, 004037DD, 004037F6, 0040380F, 00403839, 0040386E
i=%d, j=%d, xrefs: 004037B7, 004037BD, 004037D4, 004037E9, 00403806, 00403830, 00403865
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 0040381D
~MHz, xrefs: 00403853

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: i=%d, j=%d$x=%d, y=%d$HARDWARE\DESCRIPTION\System\CentralProcessor\0$~MHz
API String ID: 3677997916-717590390
Opcode ID: 9c1e94914a298c8fc2e59db7628cf6b5080351b6bc991fc10c597983900a373c
Instruction ID: 6248b6fe4c840e67728a5158146573ba63f7b5f3eda635fa0af03f38cddcf772
Opcode Fuzzy Hash: 9c1e94914a298c8fc2e59db7628cf6b5080351b6bc991fc10c597983900a373c
Instruction Fuzzy Hash: AA2187715402097EE2117A119E83FBF765CDB46B8CF41882EF744742C3EA794E1155BA

Function 0040B83C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(0000000C,00100000,00004000), ref: 0040B874
VirtualFree.KERNEL32(0000000C,00000000,00008000), ref: 0040B87F
HeapFree.KERNEL32(00000000,?), ref: 0040B88C
HeapFree.KERNEL32(00000000), ref: 0040B8A8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0040B8C9
HeapDestroy.KERNEL32 ref: 0040B8DB

Strings

([A, xrefs: 0040B8B3

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Free$HeapVirtual$Destroy
String ID: ([A
API String ID: 716807051-2441821139
Opcode ID: 0c9e8be2edc154952d1187430e402ab99a23677b4116cdad8579b256f4497231
Instruction ID: a0b8d0e88e1421d253f55143f88fc14a6dd29fdf93324dcaf3ecdd87cd13e49e
Opcode Fuzzy Hash: 0c9e8be2edc154952d1187430e402ab99a23677b4116cdad8579b256f4497231
Instruction Fuzzy Hash: 63115E76644204ABDA21AF10EC41F967766F744720F22C43AF640B61B0CBB5BC56CB5C

Function 0040D65D Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000002,?,?,000000FF,000000FF,0040F484,?,00000000,00415B1C,?,0040B571,000000FF,0040B533,0040B533,000000FF), ref: 0040D678
GetEnvironmentStrings.KERNEL32(?,?,000000FF,000000FF,0040F484,?,00000000,00415B1C,?,0040B571,000000FF,0040B533,0040B533,000000FF,?), ref: 0040D68C
GetEnvironmentStringsW.KERNEL32(?,00000002,?,?,000000FF,000000FF,0040F484,?,00000000,00415B1C,?,0040B571,000000FF,0040B533,0040B533,000000FF), ref: 0040D6B8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000002,?,?,000000FF,000000FF,0040F484,?), ref: 0040D6F0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,0040B533,00000000,00000000,00000000,00000000,?,?,000000FF,000000FF,0040F484,?,00000000,00415B1C), ref: 0040D712
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,000000FF,000000FF,0040F484,?,00000000,00415B1C,?,0040B571,000000FF,0040B533,0040B533,000000FF,?), ref: 0040D72B
GetEnvironmentStrings.KERNEL32(?,00000002,?,?,000000FF,000000FF,0040F484,?,00000000,00415B1C,?,0040B571,000000FF,0040B533,0040B533,000000FF), ref: 0040D73E
FreeEnvironmentStringsA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,h"At"Af@,h"At"Af@), ref: 0040D77C

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 50b140cde47cff86ad8c481e88d4ae70377ff255c38b7fb93295efd68066054f
Instruction ID: d78e90559a26e7fe2a89aa07eb90442a15f1fdbe27aaca1957aa72be6b288592
Opcode Fuzzy Hash: 50b140cde47cff86ad8c481e88d4ae70377ff255c38b7fb93295efd68066054f
Instruction Fuzzy Hash: 7D3138B2C042216FD7207FF85CC487B769CE759354711093FFA56E3281EA798C49866D

Function 0040F214 Relevance: 10.7, APIs: 7, Instructions: 180processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(0040B533,0040B533,00000000,00000000,00000001,000000FF,?,00000000,?,?,?,00000000,00415B1C), ref: 0040F371
GetLastError.KERNEL32 ref: 0040F379
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040F3B6
GetExitCodeProcess.KERNEL32(?,?), ref: 0040F3C3
CloseHandle.KERNEL32(?), ref: 0040F3CC
CloseHandle.KERNEL32(?), ref: 0040F3D9
CloseHandle.KERNEL32(0040B58F), ref: 0040F3E9

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseHandle$Process$CodeCreateErrorExitLastObjectSingleWait
String ID:
API String ID: 966596688-0
Opcode ID: b3d840c42763ea4b3ee14dee9b13034aadaf3e790924aa5161f74e93b214ebf1
Instruction ID: 03c52d897a38bb243cfe801abb8f653e57caf12c65ccad77bd82a9114246bbf7
Opcode Fuzzy Hash: b3d840c42763ea4b3ee14dee9b13034aadaf3e790924aa5161f74e93b214ebf1
Instruction Fuzzy Hash: 045113358042489FDB21CF64DC44AEEBBB5EB45324F2481BFE811BB6D1C779984ACB58

Function 00410712 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00412790,00000001,-00000033,00000000,-00000003,-00000033,00000000,-00000003,00000000,-00000763,0040E3C8,-00000003), ref: 00410751
GetStringTypeA.KERNEL32(00000000,00000001,0041278C,00000001,?,?,?,?,?,?,?,x=%d, y=%d,i=%d, j=%d,?,00408A85,00000012), ref: 0041076B
GetStringTypeA.KERNEL32(-00000033,0040E3C8,-00000763,00000000,-00000003,00000000,-00000003,-00000033,00000000,-00000003,00000000,-00000763,0040E3C8,-00000003), ref: 0041079F
MultiByteToWideChar.KERNEL32(00000000,-00000002,-00000763,00000000,00000000,00000000,00000000,-00000003,-00000033,00000000,-00000003,00000000,-00000763,0040E3C8,-00000003), ref: 004107D7
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 0041082D
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 0041083F

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 5df8b774d4c9a77128eb69b42eaa16e8f95b31859df70daefe0bb3efdc7e9ecc
Instruction ID: 0818c690c863ed52bb56e0714856270074b564441908bcb3747cf3633a37e43a
Opcode Fuzzy Hash: 5df8b774d4c9a77128eb69b42eaa16e8f95b31859df70daefe0bb3efdc7e9ecc
Instruction Fuzzy Hash: 0A418E75500219EFCF21AF54CD85AEF3F69FB08750F10452AFA15D2290C3B899A0CB99

Function 004056C8 Relevance: 9.0, APIs: 6, Instructions: 25sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 004056D9
Sleep.KERNEL32(00000258), ref: 004056E4
CreateThread.KERNEL32(00000000,00000000,Function_00005178,00000000,00000000,00000000), ref: 004056F6
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405704
CloseHandle.KERNEL32 ref: 00405710
closesocket.WS2_32 ref: 0040571C

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CloseCreateHandleObjectSingleSleepStartupThreadWaitclosesocket
String ID:
API String ID: 964154963-0
Opcode ID: 44e354964dafaec4c441969297343f4a91da4b72d6f8363810dc476b72c76803
Instruction ID: 47045389ab8bcf369b36685f210a0f8d0bc80c17753468178bfb8b28848da1d0
Opcode Fuzzy Hash: 44e354964dafaec4c441969297343f4a91da4b72d6f8363810dc476b72c76803
Instruction Fuzzy Hash: 26E0C971401520BBD7115BA5ED0DEDB3E69FB0E361B108739B31DD00B1CAB50424CFA9

Function 0040B697 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0040B6B6
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0040B6EB
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040B74B

Strings

__MSVCRT_HEAP_SELECT, xrefs: 0040B6E6
__GLOBAL_HEAP_SELECTED, xrefs: 0040B725

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 55799f3d705b688186e6e658e07e1f7f58d3042459e26192c68e257bd960546e
Instruction ID: baefc899298e8724c898a9a08758f68ce54187c9717e35e01e5415b500a5e724
Opcode Fuzzy Hash: 55799f3d705b688186e6e658e07e1f7f58d3042459e26192c68e257bd960546e
Instruction Fuzzy Hash: 563113719412486EEB3286745C85BDA3768DB42704F2404FBD284F72C2E77D8E89CBAD

Function 0040C5CE Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

IsBadWritePtr.KERNEL32(00000000), ref: 0040C5EC
IsBadWritePtr.KERNEL32(?,000041C4), ref: 0040C625
IsBadWritePtr.KERNEL32(?,00008000), ref: 0040C685

Strings

, xrefs: 0040C885
@, xrefs: 0040C845

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Write
String ID: $@
API String ID: 3165279579-1077428164
Opcode ID: 2adcf420c7e45416a2e3f72929e20141f464f3192860ced93f91c0fbac91ddad
Instruction ID: 57b7ac05fb46af663c2f481ef697e4288759fd8fa5f4a5c276f9f78e2c3e2a99
Opcode Fuzzy Hash: 2adcf420c7e45416a2e3f72929e20141f464f3192860ced93f91c0fbac91ddad
Instruction Fuzzy Hash: 35A14A32D00216DBDB24DB58C8C06AEB3B1BB54326F20877BD527B62D1D7789942EB49

Function 0040AEDE Relevance: 7.7, APIs: 5, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fa223ca1964b84b87052129f914800067fdc7a2f1009c5141d2c206aebff9d
Instruction ID: c4ed90b157d624312e02addc358cc1ab3ceeb2061e4556225d55c93fc279ea98
Opcode Fuzzy Hash: 93fa223ca1964b84b87052129f914800067fdc7a2f1009c5141d2c206aebff9d
Instruction Fuzzy Hash: 69714772500215BADB226B25CC40BAB3A2ADB407E4F15413BFC64BB3E1DB38DD50A6CD

Function 00409C76 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00409CCF
GetFileType.KERNEL32(00000800), ref: 00409D75
GetStdHandle.KERNEL32(-000000F6), ref: 00409DCE
GetFileType.KERNEL32(00000000), ref: 00409DDC
SetHandleCount.KERNEL32 ref: 00409E13

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 8d2cf682e8aae9f12f99a58e5b40a267fbf19067efbc43b15841da555f83dc55
Instruction ID: 629a5f445d47fb485e5b92b97776912fed3ad4079e60577beb6fc872dcdc357d
Opcode Fuzzy Hash: 8d2cf682e8aae9f12f99a58e5b40a267fbf19067efbc43b15841da555f83dc55
Instruction Fuzzy Hash: 055136719442518BD7218F28CC48B967B90EF52320F19873EE5A6EB3E2DB38DC85C759

Function 0040CA63 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 27memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,([A,0040CB63,([A,00000000,0000000A,-00000030,00000000,?,0040CC15,00000010,0040901A,00000000,0000000A), ref: 0040CA72
HeapFree.KERNEL32(00000000,0000000A,?,0040CC15,00000010,0040901A,00000000,0000000A), ref: 0040CAA8

Strings

([A, xrefs: 0040CA78, 0040CA83
([A, xrefs: 0040CA88
([A, xrefs: 0040CA63

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Free$HeapVirtual
String ID: ([A$([A$([A
API String ID: 3783212868-485227959
Opcode ID: 4c49a968bc0b0e1f8829033817525829fee88987ac3366273c73e1a64aff2a9b
Instruction ID: db7307649e4f681218e297089eed455a3f41b52a4525a67e4ad9fa26a558860b
Opcode Fuzzy Hash: 4c49a968bc0b0e1f8829033817525829fee88987ac3366273c73e1a64aff2a9b
Instruction Fuzzy Hash: 7DF0DA71548610DFC725DF18ED84BC6BBB1EB49720B11852AF696977A0C770BC80CF88

Function 00407773 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 183libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation), ref: 00407793
GetProcAddress.KERNEL32(00000000), ref: 0040779A

Strings

ntdll, xrefs: 0040778E
NtQuerySystemInformation, xrefs: 00407789

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQuerySystemInformation$ntdll
API String ID: 1646373207-3593917365
Opcode ID: 16e619bb711fb1b5b349aa6f6823970c37b1f66631ee66875d4f6a06ae15c941
Instruction ID: 3aac871426265193e534f7263ec0f2979e53ea9c302f7b19d4dee45939947f14
Opcode Fuzzy Hash: 16e619bb711fb1b5b349aa6f6823970c37b1f66631ee66875d4f6a06ae15c941
Instruction Fuzzy Hash: BA71C3B1E00605EFD724DF55D88499ABBB4FF48304F2185AED045A7262EB30EA55CBA0

Function 00402FD5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 00402FEB
WSAIoctl.WS2_32(0002BF20,98000004,00000001,0000000C,00000000,00000000,00000001,00000000,00000000), ref: 00403096

Strings

x=%d, y=%d, xrefs: 0040300F, 00403015, 00403027, 00403040, 0040305C, 00403075
i=%d, j=%d, xrefs: 00403000, 00403007, 0040301E, 00403030, 00403053, 00403065

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: i=%d, j=%d$x=%d, y=%d
API String ID: 1903391676-1211302626
Opcode ID: 2e8fb80135a8fd15338480637f8e5c14dfce9db7cdbeef607db4f8490a63513c
Instruction ID: e5c3403da9ceab19e5fb53ddc8ca521e08dbcd3b3870f2f7ca2bc3b5502f9d06
Opcode Fuzzy Hash: 2e8fb80135a8fd15338480637f8e5c14dfce9db7cdbeef607db4f8490a63513c
Instruction Fuzzy Hash: 04111FB16402097DF6117A519D46FFF775CDB42B8CF00C42AB744B92C3EAB84E1156B9

Function 0040D94C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,A'@,00000000,@XA,00000000,00415840,?,0040DA44,00415840,00000000,00000002,00000001,00000000,?), ref: 0040D99B
GetLastError.KERNEL32 ref: 0040D9A8

Strings

A'@, xrefs: 0040D996
@XA, xrefs: 0040D990

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: @XA$A'@
API String ID: 2976181284-2922937615
Opcode ID: d12fc55695f935a445e30db32e21ef12d82db6491b8fb8bac7924328bba55fe0
Instruction ID: cfe283e067ac49183c2045b2ecda98058100b9d52128cc8452dabc1f3c7e7db9
Opcode Fuzzy Hash: d12fc55695f935a445e30db32e21ef12d82db6491b8fb8bac7924328bba55fe0
Instruction Fuzzy Hash: 2D11C4B19082019BC710CBB8DD987563794AB05338F21873EF522E72D1DB78C849D74C

Function 0040AA7A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00408A9D), ref: 0040AA7F
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040AA8F

Strings

IsProcessorFeaturePresent, xrefs: 0040AA89
KERNEL32, xrefs: 0040AA7A

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: afd57e2ac2808bb1d871420b97466693a6b2bf49d46f7bee87e48af1d80616e7
Instruction ID: 538ef96528a9605923bab4d0de7bf5319326fd66ae5a0ea854de2d285d4baee8
Opcode Fuzzy Hash: afd57e2ac2808bb1d871420b97466693a6b2bf49d46f7bee87e48af1d80616e7
Instruction Fuzzy Hash: CFC012203C030BBADA209BB11F19B962A485B04B02F2442367A1DF41C0CAECC070D92F

Function 00402651 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,WSASocketA), ref: 00402660
GetProcAddress.KERNEL32(00000000), ref: 00402667

Strings

WS2_32.dll, xrefs: 0040265B
WSASocketA, xrefs: 00402656

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: WS2_32.dll$WSASocketA
API String ID: 2574300362-2240758815
Opcode ID: ae28e519a7b6e80e91a8529fa1c04e09e90698f9997b49527fef2b1e638b0183
Instruction ID: 7a3db4533e7f13413eacb98dcc8fdfd7c6e783eaaf2c3a3aa3856f6d00b56da8
Opcode Fuzzy Hash: ae28e519a7b6e80e91a8529fa1c04e09e90698f9997b49527fef2b1e638b0183
Instruction Fuzzy Hash: 09C04CB0D40600BBC6015B609D0D7D43E55A6887417A085677609E1190CAF80151DE1D

Function 0040262F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.dll,htons), ref: 0040263E
GetProcAddress.KERNEL32(00000000), ref: 00402645

Strings

htons, xrefs: 00402634
WS2_32.dll, xrefs: 00402639

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: WS2_32.dll$htons
API String ID: 2574300362-178149120
Opcode ID: 309fed516b4dbc28cfdc9ffdf2a72f8a02d4db1a691d998ba347698543ff4364
Instruction ID: e6de2dc05ed5847a78ddefc3f2a9c4cc886c0d13785a7aa472f3717d4e4717a5
Opcode Fuzzy Hash: 309fed516b4dbc28cfdc9ffdf2a72f8a02d4db1a691d998ba347698543ff4364
Instruction Fuzzy Hash: 47C09B74541304BFC7005BA15D0D6D53D55B65D701354C537B705E1190DFF90191D61D

Function 00402691 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,SetProcessWorkingSetSize), ref: 004026A0
GetProcAddress.KERNEL32(00000000), ref: 004026A7

Strings

KERNEL32.dll, xrefs: 0040269B
SetProcessWorkingSetSize, xrefs: 00402696

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: KERNEL32.dll$SetProcessWorkingSetSize
API String ID: 2574300362-3706258605
Opcode ID: 07db207d0140fc3224ad6132a95ba6a79a327df64de8e12d1b43bad5bd330965
Instruction ID: 0015a468a98a0ffe5f7f3df7b353b68da85e8202853dfc7b528b9042ea931de4
Opcode Fuzzy Hash: 07db207d0140fc3224ad6132a95ba6a79a327df64de8e12d1b43bad5bd330965
Instruction Fuzzy Hash: 3EC04C71941700BAD7105B609D0DBD43959A6487423E08566B10AD1190CAB80094DA1D

Function 0040D9E6 Relevance: 6.1, APIs: 4, Instructions: 139fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000000,?), ref: 0040DABE

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8c91f5432ddeee5293cf55af43f09b8f848b0256b885b5908f837f6952682f42
Instruction ID: afc7b15f90409d4cce33868b2a7bd211e48c26d4a2c2ca80f35d74857d62724a
Opcode Fuzzy Hash: 8c91f5432ddeee5293cf55af43f09b8f848b0256b885b5908f837f6952682f42
Instruction Fuzzy Hash: 2651A371E04208EFCB11CFA8C984ADD7BB4FB45350F21817AE916AB290D7749A49CF58

Function 00407C20 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

GetIfTable.IPHLPAPI(00000000,?,00000001), ref: 00407C42
GetIfTable.IPHLPAPI(00000000,?,00000001), ref: 00407C66
GetTickCount.KERNEL32 ref: 00407D1B
GetTickCount.KERNEL32 ref: 00407D30

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CountTableTick
String ID:
API String ID: 316864735-0
Opcode ID: 446bbcad1c79a80f54a11c1d6b38d3c725f923def6967b3bb684b8115a896fd6
Instruction ID: fde055a7c582602a073f59b3a9c2983dd07b33d48f8a6fbf85bfd16946571020
Opcode Fuzzy Hash: 446bbcad1c79a80f54a11c1d6b38d3c725f923def6967b3bb684b8115a896fd6
Instruction Fuzzy Hash: CD316E71E08215AFDB14DF68D98069ABBF6FB48310F10847ED949E3390DB74AE41CB98

Function 004115D2 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,-00000763,-00000763,-00000763,?,-00000763,?,0040E21A), ref: 00411601
MultiByteToWideChar.KERNEL32(?,00000009,?,-00000763,00000000,00000000,?,-00000763,?,0040E21A), ref: 00411614
MultiByteToWideChar.KERNEL32(?,00000001,?,-00000763,?,00000000,?,-00000763,?,0040E21A), ref: 00411660
CompareStringW.KERNEL32(?,00000006,00000000,-00000763,?,00000000,?,00000000,?,-00000763,?,0040E21A), ref: 00411678

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 628d27e1d9cd974a96493e08d4972d5a420bd1ed413e27db758fe659bf7e9604
Instruction ID: f0c3647fc61c5939d7cbe72e16721f875ba5624940e9c3ef6c7f71f348a9962b
Opcode Fuzzy Hash: 628d27e1d9cd974a96493e08d4972d5a420bd1ed413e27db758fe659bf7e9604
Instruction Fuzzy Hash: 28213B32900249EFCF218F94CD41ADEBFB6FF48350F15462AFA1072160C3369961DBA8

Function 0040C05B Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000050,?,00000000), ref: 0040C083
RtlAllocateHeap.NTDLL(00000008,000041C4,?), ref: 0040C0B7
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0040C0D1
HeapFree.KERNEL32(00000000,?), ref: 0040C0E8

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Heap$Allocate$AllocFreeVirtual
String ID:
API String ID: 94566200-0
Opcode ID: abaa32a9d15426d2a43737c6ce3b68e869d4898ab25d8fb3cb65aaf4b96b63ac
Instruction ID: 4e544f0637167c1653db0c9f56540a45586026c683dedc9bdf5ed5bd1dd5f3ad
Opcode Fuzzy Hash: abaa32a9d15426d2a43737c6ce3b68e869d4898ab25d8fb3cb65aaf4b96b63ac
Instruction Fuzzy Hash: 2C11D7B1204601EBC721CF59EC85DA67BB6FB49720710C63EF262D61B0DBB1A852DB18

Function 0040578B Relevance: 6.0, APIs: 4, Instructions: 33networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000000), ref: 0040579F

Part of subcall function 0040260A: inet_addr.WS2_32(?), ref: 0040260E
Part of subcall function 0040260A: gethostbyname.WS2_32(?), ref: 0040261C

socket.WS2_32(00000002,00000001,00000000), ref: 004057BD
connect.WS2_32(00000000,00000002,00000010), ref: 004057CC
closesocket.WS2_32(00000000), ref: 004057D8

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID:
API String ID: 1954806591-0
Opcode ID: 499af27a99b3e525cc66e43c47cf20a4ae9057e883845d3aca84c50d48299515
Instruction ID: 53579a3fc73d097e04c0fa872a5a3e1c249cfc766e889caa4f4839dd50c45134
Opcode Fuzzy Hash: 499af27a99b3e525cc66e43c47cf20a4ae9057e883845d3aca84c50d48299515
Instruction Fuzzy Hash: 16F08935500214B6D710A7A4AD4ABEE7678EF05724F10462AF625E61D0DBF445508BAD

Function 00402524 Relevance: 6.0, APIs: 4, Instructions: 32networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00402531
htons.WS2_32(?), ref: 0040254D
connect.WS2_32(00000000,00000002,00000010), ref: 0040255E
closesocket.WS2_32(00000000), ref: 0040256A

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: closesocketconnecthtonssocket
String ID:
API String ID: 3817148366-0
Opcode ID: 4346206fa24754252258424c22c40528ad3b5498cdcfe0a6f553be412d6145c0
Instruction ID: e660f6890c169c9fca879cbd32495503f69ba39a1545db4ef8690b4adf1fc059
Opcode Fuzzy Hash: 4346206fa24754252258424c22c40528ad3b5498cdcfe0a6f553be412d6145c0
Instruction Fuzzy Hash: C9F030349401247AD710AB68AD0DBEDB678AF05774F004725FA35E62E0E7F59620879D

Function 0040FC8E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0040FCA2

Strings

, xrefs: 0040FCEB
, xrefs: 0040FCC7

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: c2ac7f20b7043a8bcec9c8c25ad4611a8cee618e414e3d98af1ccb4bb841b7c7
Instruction ID: f1f7576c511da1a47cd10b917c746b033a0cd605e75fc9adc3bcd54ead21d5e9
Opcode Fuzzy Hash: c2ac7f20b7043a8bcec9c8c25ad4611a8cee618e414e3d98af1ccb4bb841b7c7
Instruction Fuzzy Hash: 074149310142981AEB229714DD49BFB3FA8EF02704F1400FBD546E75D3C679498CDBAA

Function 00410191 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?), ref: 004101B6
GetLastError.KERNEL32 ref: 004101C0

Part of subcall function 00410063: SetStdHandle.KERNEL32(000000F6,?,00000000,?,00000000,0041020E,00000000,?), ref: 004100B3

Strings

@, xrefs: 004101A1

Memory Dump Source

Source File: 00000000.00000002.2029313538.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2029300514.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000414000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.0000000000417000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029313538.000000000041B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029405054.000000000041C000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.2029416922.000000000041D000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorFileHandleLastType
String ID: @
API String ID: 1910029465-2766056989
Opcode ID: 74444cf0a481934128c07e172aa453b4f973fe814d57b8e3706283b9d1a20cd0
Instruction ID: 144c9a55f287517bd9041dea95d608578f3341bc5e2bb24f645e30baf87da6d2
Opcode Fuzzy Hash: 74444cf0a481934128c07e172aa453b4f973fe814d57b8e3706283b9d1a20cd0
Instruction Fuzzy Hash: D911043224224477DB305A68EC087DA7B449B06375F18C62BF964962D2DFBD89C4AB4D

Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49705 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2837549 - Severity 1 - ETPRO MALWARE Win32/DDoS.tf CnC Checkin : 192.168.2.5:49705 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49704 -> 202.181.25.108:16681
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49718 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2837549 - Severity 1 - ETPRO MALWARE Win32/DDoS.tf CnC Checkin : 192.168.2.5:49718 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49724 -> 202.181.25.108:16681
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49773 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2837549 - Severity 1 - ETPRO MALWARE Win32/DDoS.tf CnC Checkin : 192.168.2.5:49773 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49820 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2837549 - Severity 1 - ETPRO MALWARE Win32/DDoS.tf CnC Checkin : 192.168.2.5:49820 -> 199.59.243.227:8081
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49784 -> 202.181.25.108:16681
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49845 -> 202.181.25.108:16681
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49902 -> 202.181.25.108:16681
Source: Network traffic	Suricata IDS: 2034193 - Severity 1 - ET MALWARE Win32/Agent.RTQ CnC Activity : 192.168.2.5:49951 -> 202.181.25.108:16681

Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 202.181.25.108:16681
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 199.59.243.227:8081

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\jmbnii.exe

C:\Windows\jmbnii.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
file.exe

Function 00406903 Relevance: 46.3, APIs: 18, Strings: 8, Instructions: 783
serviceregistrylibraryCOMMON

Function 004066B8 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 74
sleepCOMMON

Function 004090F1 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Function 0040679F Relevance: 68.4, APIs: 2, Strings: 37, Instructions: 118
registryCOMMON

Function 004046A2 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 122
fileCOMMON

Function 004075EE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
serviceregistryCOMMON

Function 00408DAD Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Function 0040B7DF Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 00405178 Relevance: 66.9, APIs: 17, Strings: 21, Instructions: 435
registrylibrarynetworkCOMMON

Function 00404AA9 Relevance: 65.2, APIs: 35, Strings: 2, Instructions: 418
threadCOMMON

Function 004057E8 Relevance: 72.0, APIs: 9, Strings: 32, Instructions: 219
networkCOMMON

Function 004041A9 Relevance: 68.7, APIs: 32, Strings: 7, Instructions: 417
networkthreadsleepCOMMON

Function 004026B3 Relevance: 60.0, APIs: 16, Strings: 18, Instructions: 498
networkCOMMON